Run these commands to allow your Ubuntu machine to connect over VPN, but deny other traffic, so that if the VPN goes down, the server only allows local subnet access (for SSH so you can fix it).
#allow UDP traffic so that VPN works.ufw allow out 1194/udp
ufw allow out 1194/udp
ufw allow out 1198/udp
#Allow DNS queries
ufw allow out 53/udp
Allow connections over all interfaces of Ubuntu updates:
ufw allow out proto tcp to 23.246.0.0/18 port 80
ufw allow out proto tcp to 23.246.0.0/18 port 443
ufw allow out proto tcp to 54.239.54.0/23 port 80
ufw allow out proto tcp to 54.239.54.0/23 port 443
ufw allow out proto tcp to 54.239.13.128/25 port 80
ufw allow out proto tcp to 54.239.13.128/25 port 443
for x in 54.239.122.0 54.239.126.128; do for y in 80 443; do ufw allow out proto tcp to ${x}/25 port ${y}; done; done
ufw allow out proto tcp to 64.15.0.0/16 port 80
ufw allow out proto tcp to 64.15.0.0/16 port 443
for x in 54.239.145.0/24 54.239.145.0/24 64.15.119.0/24 91.189.91.23 91.189.91.26 91.189.88.149 91.189.88.152 91.189.88.162 91.189.88.161; do for y in 80 443; do ufw allow out proto tcp to ${x} port ${y}; done; done
#Get the interface addresses and allow stuff on the local subnet(s)
for y in $(ifconfig | awk ‘/inet/ && / 192/ || / 172\.16/ || / 10\./ {print $2}’); do ufw allow to ${y}/24; ufw allow in from ${y}/24; done
#get the IP addresses for the VPN servers. In this case, privateinternetaccess.com
for z in $(for x in ca ca-toronto sweden swiss france germany israel; do host ${x}.privateinternetaccess.com; done|awk ‘{print $NF}’| sort | uniq); do ufw allow in from ${z} to any; done
#allow traffic on tun0, the VPN interface.
ufw allow in on tun0 from any to any
ufw allow out on tun0 from any to any
#Deny connections by default
ufw default deny incoming
ufw default deny outgoing
#Enable the firewall
ufw enable
Slightly less Random Ramblings 
Leave a Reply