Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hard block if OpenVPN / Wireguard go offline (ie authentication or error) #1413

Open
frankoz95967943 opened this issue Oct 9, 2023 · 3 comments

Comments

@frankoz95967943
Copy link

Is your feature request related to a problem?

Love this software.
I noticed the other day RASPAP came up, but openvpn did not.
RASPAP allowed connections and worked even tho openvpn had an error (the password had changed)

Describe the solution you'd like

Admin option of "Block connections if VPN is in error/disconnected status"
and an autoretry every couple minutes (admin config)
Show alert on main page that VPN is having problems
Send email that vpn is having problems

Describe alternatives you've considered

Shell script to stop raspap service if OpenVPN had an error on connect / not connected

@billz
Copy link
Member

billz commented Oct 17, 2023

Something along these lines? https://docs.raspap.com/wireguard/#kill-switch

@fabio-stein
Copy link

Still needing this for OpenVpn connections! I just tested and as soon as the ovpn client stops, it reveals the IP

@frankozland
Copy link

Here's what i ended up with

# Flush all counters too #
sudo iptables -Z 
# Flush and delete all nat and  mangle #
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -t raw -F
sudo iptables -t raw -X

sudo iptables -A POSTROUTING -j MASQUERADE
#Allow local 192 network
sudo iptables -A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE

#Default allow
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT

#Do not allow tun probe
sudo iptables -A FORWARD -i tun+ -o +tun+ -j DROP
#do not allow local net fowrward to tunnel
sudo iptables -A FORWARD -s 192.168.0.0/16 -i tun+ -j DROP

#allow anything that is forwarded, but must go thru OpenVPN tunnel
sudo iptables -A FORWARD -i tun+ -o wlan+ -j ACCEPT
sudo iptables -A FORWARD -i wlan+ -o tun+ -j ACCEPT
sudo iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT
sudo iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT
sudo iptables -A OUTPUT -j ACCEPT
#drop anything that is forwarded that doesnt match any of these rules
sudo iptables -P FORWARD  DROP
#persist settings
sudo netfilter-persistent save

@billz billz mentioned this issue Jan 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants