Skip to content

Commit

Permalink
how to unload
Browse files Browse the repository at this point in the history
  • Loading branch information
Patrick Schleizer committed May 7, 2014
1 parent e345e43 commit 6147f0e
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,11 @@ Should reply:

0

6) How to unload VPN Firewall?

If you want to disable VPN Firewall, see:
https://gist.github.com/adrelanos/10565852

# How to Test

1) Install.
Expand Down

8 comments on commit 6147f0e

@piratelinux
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi adrelanos, how are you doing? This script looks interesting. Do you think it would be easy to translate this into a patch for Network Manager? I want to implement something like this but it has to have a clean way to install/uninstall, and it has to cause as little changes as possible to system wide settings. I want network manager as it is the only non-CLI way of managing VPN connections that I know of. If it's not too hard to do this patch, I would be willing to help write it. In the same time, we can maybe add a patch that makes network manager respect mac address settings (another problem I noticed).

@adrelanos
Copy link
Owner

@adrelanos adrelanos commented on 6147f0e May 18, 2014 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@piratelinux
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK I will look into it. I like C, but I don't know much about iptables, so maybe you can help with that :)

@piratelinux
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey. I tried your VPN Firewall against Network Manager and it works pretty well. The openvpn plugin has a program /usr/libexec/nm-openvpn-service-openvpn-helper that gets called after the tun interface is created. So I replaced that with a bash script that calls the firewall, and then calls the original nm-openvpn-service-openvpn-helper. I tested it by killing the openvpn program, and indeed, the lock for the network manager openvpn goes down, but nothing can be accessed. The unload script works fine also. The only thing that didn't work is the VPN_SERVERS variable. Even when I had the default server IP you put there, I was still able to use my VPN which has a different IP. The VPN_INTERFACE variable works well. I still feel like there should be a more "elegant" way to do this (without all those rules), but so far this is the best I've seen.

As for respecting the MAC address, I think the best approach is to modify the linux kernel. There's some functionality in it called ethtool, that allows for programs (like Network Manager) to get the real hardware addresses of the network devices. One way could be to modify the function that returns the MAC address so that it returns the spoofed address instead (in ethtool_get_perm_addr in http://lxr.free-electrons.com/source/net/core/ethtool.c). Another way the MAC address can be shown is if the driver is reloaded. Perhaps a way to protect against this is to build the drivers into the kernel, rather than have them as modules. Another way is to look at cached dmesg output, so that can be cleared. I don't think there is any other way to get it other than load a kernel module, search for in memory/filesystem if the user manually put it there, or mess around with the kernel in general. Oh yeah, and the mac should be spoofed before network manager starts.

I am planning to make an Anonymity mode for Pirate Linux that will do something similar to what Whonix does. But instead of virtualizing the gateway, I will keep it unvirtualized but running in the minimal environment needed to run Network Manager. I can't virtualize it because I want it to work with laptops that mostly use wifi and mobile broadband connections. And Network Manager is the only tool that can handle those kinds of connections.

Edit: You can also get the MAC address from the eeprom (try ethtool -e ). I don't know how to disable this, or if it's necessary.

@adrelanos
Copy link
Owner

@adrelanos adrelanos commented on 6147f0e May 26, 2014 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@piratelinux
Copy link

@piratelinux piratelinux commented on 6147f0e May 26, 2014 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adrelanos
Copy link
Owner

@adrelanos adrelanos commented on 6147f0e May 26, 2014 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adrelanos
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Andrew K:

And when will they be available?

Dear Andrew,

there has been a big update. A pre-release of freshly split, untested packages, welcoming early comments before perfecting them:
https://github.com/Whonix/Whonix/issues/40#issuecomment-44753513

This discussion here is difficult to find. Please let's move it into to https://github.com/Whonix/Whonix/issues/40#issuecomment-44753513 or elsewhere.

Cheers,
Patrick

Please sign in to comment.