Slightly less Random Ramblings

September 12, 2017

Setting up a killswitch for your VPN provider under Ubuntu

Filed under: computing, encryption, linux, OpenVPN, security — Robert Wicks @ 1:54 am

Run these commands to allow your Ubuntu machine to connect over VPN, but deny other traffic, so that if the VPN goes down, the server only allows local subnet access (for SSH so you can fix it).

 

#allow UDP traffic so that VPN works.ufw allow out 1194/udp

ufw allow out 1194/udp
ufw allow out 1198/udp

#Allow DNS queries
ufw allow out 53/udp

Allow connections over all interfaces of Ubuntu updates:

ufw allow out proto tcp to 23.246.0.0/18 port 80
ufw allow out proto tcp to 23.246.0.0/18 port 443
ufw allow out proto tcp to 54.239.54.0/23 port 80
ufw allow out proto tcp to 54.239.54.0/23 port 443
ufw allow out proto tcp to 54.239.13.128/25 port 80
ufw allow out proto tcp to 54.239.13.128/25 port 443
for x in 54.239.122.0 54.239.126.128; do for y in 80 443; do ufw allow out proto tcp to ${x}/25 port ${y}; done; done
ufw allow out proto tcp to 64.15.0.0/16 port 80
ufw allow out proto tcp to 64.15.0.0/16 port 443
for x in 54.239.145.0/24 54.239.145.0/24 64.15.119.0/24 91.189.91.23 91.189.91.26 91.189.88.149 91.189.88.152 91.189.88.162 91.189.88.161; do for y in 80 443; do ufw allow out proto tcp to ${x} port ${y}; done; done

#Get the interface addresses and allow stuff on the local subnet(s)
for y in $(ifconfig | awk ‘/inet/ && / 192/ || / 172\.16/ || / 10\./ {print $2}’); do ufw allow to ${y}/24; ufw allow in from ${y}/24; done

#get the IP addresses for the VPN servers. In this case, privateinternetaccess.com
for z in $(for x in ca ca-toronto sweden swiss france germany israel; do host ${x}.privateinternetaccess.com; done|awk ‘{print $NF}’| sort | uniq); do ufw allow in from ${z} to any; done

#allow traffic on tun0, the VPN interface.

ufw allow in on tun0 from any to any
ufw allow out on tun0 from any to any

#Deny connections by default
ufw default deny incoming
ufw default deny outgoing

#Enable the firewall
ufw enable

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: