• Pop!_Planet is still very much under development. Data for the wiki is being sourced from the Arch Linux and Ubuntu wikis, along with a bunch of completely unique content specific to Pop!_OS, and sourcing, converting and updating that content takes time; please be patient. If you can't find what you're looking for here, check the Arch Linux and Ubuntu wikis.
  • Welcome!

    I'll get straight to the point.

    When I started Pop!_Planet, I launched it because I saw a need for a centralized community for Pop!_OS. To be frank, I never expected the level of popularity it has achieved. Over the last year, we have gone from under 50 users, to almost 400 users. That's awesome! However... it also comes with a downside. We are rapidly running out of disk space on our server, and the bandwidth costs go up every month.

    Pop!_Planet is not affiliated with System76 in any way, and is funded completely out of pocket. From day one, I said that I'd never use on-site ads (I hate them as much as you do), so the only monetization we get is through donations. Right now, the donations we receive don't even cover our overhead.

    I know that most users will ignore this message, and that's ok. However, if even a few of our users are willing and able to donate a few dollars to help offset our expenses, it would be greatly appreciated.

    Support Pop!_Planet

    Thank you for your time,

    Dan Griffiths
    Pop!_Planet Founder

Guide Beginner Openvpn firewall kill switch

derpOmattic

Pop!_Muse
Trusted User
Founding Member
Nov 23, 2018
970
143
20
www.patreon.com
It was extremely frustrating to find the wireless on my new HP laptop kept dropping openvpn connections while the hard wire would not. I formatted the drive and installed the latest Pop!_OS ISO, which is usually a good way to avoid problems. Being relatively new to Linux, I wasn’t sure if the problem was Pop!_OS specific or caused by the machine's hardware. It's advisable to investigate the cause of drop outs and fix them if you can, but Its irrelevant of the cause of openvpn drop outs because the result is the same, your connection becoming unencrypted, which compromises your security. Also the exposure of your real IP which compromises your privacy. It's possible for one of your vpn provider’s servers to experience an outage, and unless you're using their client with a kill switch, it will expose your true IP. Unless you prevent the network from connecting when your vpn goes down, that will be inevitable. I've found a simple solution that prevents the drop outs by 99%, and in the rare instance it happens, keeps me secure.

There's many ways of managing networks and firewalls. I've read plenty of advice and tutorials on configuring firewalls and creating kill switches, but the following advice is by far the simplest I have encountered without using a vpn provider’s client. I have my openvpn configurations installed via network manager on Pop!_OS because it's simple, native and open source. You will need to install the package that helps GNOME's Network Manager run open vpn configs. This can be done by running sudo apt install network-manager-openvpn-gnome in Terminal.

We are utilising Pop’s native firewall called ufw which stands for “Uncomplicated FireWall”. This guide is at new user level and although you can find a few similar versions online, this one doesn't involve mucking with iptables, ports or specifying IP's which is great if you change your config often. However I encourage you to learn further and do better.

First we need to check if your vpn connection is the default while it is connected. An easy way to do this is to run ip route in Terminal. If your vpn connection is established it should be the first line of output and be over tun0. If not you have a problem and should sort it out. If the default is tun0 then continue.

The first step to creating the kill switch is to open your editor of choice. I’m suggesting nano as its beginner friendly. So open Terminal ( press super + t ), and in your home folder you need to create the following file. Unless you have modified Terminal’s default behavior a new Terminal window will already be at your home folder, so just type nano. The editor will open and enter the following;
Code:
 #!/bin/bash

sudo ufw reset

sudo ufw default deny incoming

sudo ufw default deny outgoing

sudo ufw allow out on tun0 from any to any

sudo ufw enable
To name it press ctrl + o. Call it firewall.sh. Just start typing and it will appear just above all the options at the bottom. Press enter to confirm. Press ctrl + x to exit nano .

Now the second step. In Terminal, type nano again and enter the following;

Code:
#!/bin/bash

sudo ufw reset

sudo ufw default deny incoming

sudo ufw default allow outgoing

sudo ufw enable
To name it press ctrl + o. Call it unfirewall.sh. follow the rest of the steps above.

OK, nearly there! We now have to make it executable, so type the following in Terminal;

chmod +x firewall.sh unfirewall.sh.

Do a network restart by running sudo systemctl restart networking in Terminal. Also sudo systemctl restart NetworkManager for good measure.

I find I have better control of my openvpn connections if I manually connect after boot, so I don’t allow the wired or wireless connections to auto-start. I have uncheck those options in Network Manager.

In order to make any network connections now you'll need to run ./unfirewall.sh. It will prompt you for your password, enter it and confirm the choice. Now you can connect to your network, and when the vpn is established you can start the kill switch by typing ./firewall.sh in Terminal . It will ask you to confirm the choice.

There you have it! This simple firewall killswitch works great for me on Pop!_OS. I've seen more complex versions of this to accommodate quirks and differences in OS and vpn provider, so you may have to research a little if it doesn’t work at first. Remember, whenever the network has been disconnected for any reason you'll have to run ./unfirewall.sh before you can establish it again.

Additionally, once you have run both ./unfirewall.sh and ./firewall.sh in Terminal you can easily find them by using the up and down arrow keys because they will be saved in Bash history.

[EDIT: 2020.04.19 the bug detailed below seems to have been addressed, but I can't see any confirmations of it. I think installing openvpn-systemd-resolved helps I haven't had to use dnsmasq for some time now.]

Be aware that there is, at the time of writing, a bug within Systemd resolved that exposes your ISP’s DNS while using openvpn via Network manager. The current work around is to install dnsmasq. See Preventing openvpn dns leaks in systemd-resolved. I mention this because it's useless locking down your vpn connection while your ISP’s DNS is being leaked.

Bonus tip: My favorite way to easily monitor network traffic is having a terminal maximized vertically and running watch -n 1 “ss -4 state ESTABLISHED”. There's different ways to tweak this output with sudo and options, but I find this is enough to keep an eye on things.
 
Last edited:

Members online

No members online now.

Latest posts

Latest projects

Forum statistics

Threads
779
Messages
3,552
Members
718
Latest member
travisd826