• Stars
    star
    156
  • Rank 239,589 (Top 5 %)
  • Language
    Shell
  • License
    Other
  • Created over 11 years ago
  • Updated almost 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Leak Protection (Fail Safe Mechanism) for (Open)VPN

Why

If you simply add a VPN using common instructions, it generally fails open. That means, if the VPN breaks down, because the connection is interrupted, traffic will be send without the VPN.

It's much safer when it fails closed, i.e. when the VPN connection breaks down, the whole internet connection must be down as long as the VPN connection isn't restored.

What does it do

  • Forbid outgoing traffic after the VPN / tunnel software broke down for some reason.
  • Tight firewall rules, using iptables policy drop.
  • Defeat shared VPN/Tor server leak bug.
  • Only tested with OpenVPN. Should work with other VPN and tunnel clients such as PPTP in theory, you should test if it does what it claims anyway.
  • Only tested on Debian Stretch and Qubes. Should work in many Linux distribution supporting netfilter-persistent in theory.
  • You should test if it does what it claims.
  • Open Source / Free Software

What does it NOT do

  • Care about DNS leaks. Consult your VPN software's/provider's documentation and configure /etc/resolv.conf to use the DNS server of your VPN server.
  • Block WebRTC leaks. [1]
  • Defend against IP leaks. If a locally installed application uses trickery to obtain the the users real IP and sends it somewhere though the VPN. [1]
  • Defend against adversaries, which are in position to run code locally, i.e. manipulate the firewall rules.
  • Prevent any other kind trickery to circumvent using the VPN.
  • Prevent leaks caused by bugs in the VPN software.
  • Be compatible with Whonix-Gateway/Workstation. (VPN-Firewall is incompatible with Whonix-Gateway/Workstation's firewall! Use Whonix documentation and use their built-in features.)
  • Manage IPv6 traffic. IPv6 traffic is blocked.
  • Install (Open)VPN.
  • Configure (Open)VPN.
  • Autostart (Open)VPN.
  • Anything else not mentioned above in "What does it do".

[1] This probably does not apply to VMs / computers behind a VPN-Gateway (when using the #Forwarding feature).

How to Use

See:

https://www.whonix.org/wiki/VPN-Firewall#How_to_use_VPN-Firewall

Alternatives

  • One could play with the linux equivalent of the route command.
  • Hardening your VPN Setup with iptables
  • VPNCheck - No source code. Nice looking user interface.
  • VPNetMon - No source code. Windows only. Checks every, let's say 500 ms, if the VPN IP is still valid, if not, kill a list of applications. This is not very secure, it's a game if that time period is sufficient to stop a leak and if killing the applications is fast enough. Nice looking user interface.
  • OPENVPN Watchdog - No source code. Windows only. Nice looking user interface.
  • VPN Lifeguard supports PPTP and IPSec, not OpenVPN. Windows only. Nice looking user interface.
  • ForceBindIP - Bind any Windows application to a specific interface. No source code. Windows only.
  • Some individual VPN services distribute closed source applications with vendor lock in. Nice looking user interfaces.
  • One could tighten the firewall rules even more, by creating a dedicated user account for (Open)VPN, allow only the (Open)VPN process to connect to the VPN server. (VPN-Firewall lets all processes connect to the VPN IP, not only (Open)VPN. However, the setup would become more difficult, it may require modifying the OpenVPN init script.)
  • Much safer would be, if one would build something similar to Whonix. Very briefly, while Whonix uses Tor and consists of a Gateway and a Workstation, since the Workstation doesn't know it's own external IP, the Workstation can never leak it and never connect in the clear. One could create similarly a VPNBOX.
  • Windows Firewall. Windows only.
  • IP Security Policies. Windows only.

Forks, Patches, Testers, Comments, etc.

Welcome.

Author

License

GPLv3+

More Repositories

1

tor-ctrl

Tor control port command line tool
Shell
8
star
2

tbb-scripts

Alternative startup scripts for the Tor Browser Bundle. For starting up Tor Browser without Tor and Vidalia, transparent proxying, etc...
Shell
6
star
3

qubes-remote-support

Shell
6
star
4

PasswordTrainer

PasswordTrainer can help remembering new and existing passwords. Should run on any GNU/Linux distribution. Depends on bash and zenity. Small source code. Bash script. Nothing compiled. Easy to verify.
Shell
5
star
5

Whonix-documentation

Whonix Documentation (old sourceforge.net)
Python
3
star
6

aeternity-wiki

2
star
7

Whonix-I2P

Whonix I2P Integration
2
star
8

whonixcheck

Anonymity and security check - https://www.whonix.org/wiki/whonixcheck
Shell
1
star
9

whonix-ws-firewall

Whonix-Workstation's Firewall. This is a second, extra firewall for Whonix-Workstation. Experts should read the design notes in man whonix_firewall and make an informed decision.
Makefile
1
star
10

nothing-to-see

Temporary Git Tags for Whonix
Shell
1
star
11

whonix-gw-desktop-shortcuts

Desktop Icons for Whonix-Gateway
Makefile
1
star
12

menu

https://anonscm.debian.org/git/menu/menu.git - Patches Only
C++
1
star
13

whonix-firewall

Whonix Firewall
Shell
1
star
14

curl-scripts

Scripts for curl - Progress bar and to convert curl exit codes to status messages.
Shell
1
star
15

timer-entropyd

Feeds /dev/random with entropy-data read from timers. | original author: Folkert van Heusden @flok99 | source: https://www.vanheusden.com/te/ / https://www.vanheusden.com/te/timer_entropyd-0.3.tgz | Added to github better publication and readability.
C
1
star
16

gpg-key-creation-test

Shell
1
star
17

minimal-grml-debootstrap-test

Shell
1
star
18

anon-meta-packages

Meta Packages for Anonymity Distributions - Selections of packages required/recommended to have installed on Anonymity Distributions.
Shell
1
star
19

grml-debootstraptest

Shell
1
star
20

popcon-benchmark

Shell
1
star
21

remote-support

Remote Support with NAT Traversal. Using OpenVPN for connection security. Xpra as VNC alternative. Using nat-traverse for NAT Hole Punching. UDP required. Over clearnet.
Shell
1
star
22

timeprivacy

Shell
1
star
23

Inoffical-TBB-AppArmor

Inoffical Tor Browser Bundle (TBB) AppArmor Profile
1
star
24

onion-grater

Whitelisting filter for dangerous Tor control protocol commands - https://www.whonix.org/wiki/Dev/CPFP - For example it allows using Tor Browser's New Identity feature on Anonymity Distribution Workstations, fixes Tor Browser's about:tor default homepage and Tor Button status indicator without exposing commands that are dangerous for anonymity.
Python
1
star