VPNs ?

[BillDietrich]

Sorry, I haven't installed yet, and I'm a n00b too, but I see no mention of VPNs. How does opensnitch interact with a VPN and has it been tested with any VPNs ?

Readme says something about editing iptables rules. Or is there a mode where opensnitch doesn't do that ? Windscribe VPN adds iptables rules and changes policies on a couple of chains, as well as changing IP routing (netstat -r). I believe ProtonVPN does not change iptables rules.

Does opensnitch daemon have to start before VPN, or after, or does it vary for various VPNs ?

Would be good to have this addressed in the opensnitch Readme. Thanks.

[gustavo-iniguez-goya]

Hi @BillDietrich !

Latest packages has been tested with VPNs (OpenVPN, wireguard and PPTP). If you configure the daemon default action to Deny, the VPNs won't work. Well, OpenVPN will work just fine, but if you configure the VPN to use ICMP to keep the tunnel up it'll fail.

As a temporal solution to this problem we've added the file /etc/opensnitchd/system-fw.json where you can add rules to allow this type of traffic. There's no GUI yet to configure it, sorry :(

For example, if you wanted to allow PPTP:

{
    "SystemRules": [
        {
            "Rule": {
                "Description": "Allow pptp VPN",
                "Table": "mangle",
                "Chain": "OUTPUT",
                "Parameters": "-p gre",
                "Target": "ACCEPT",
                "TargetParameters": ""
            }
        }
}

I'll close this issue for now. If you happen to try it again and the VPN fails to connect, reopen the issue please.

[BillDietrich]

The issue really was about documenting the situation, in the README.