Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Kill Switch? #169

Open
rdegges opened this issue Dec 5, 2022 · 1 comment
Open

Feature Request: Kill Switch? #169

rdegges opened this issue Dec 5, 2022 · 1 comment

Comments

@rdegges
Copy link

rdegges commented Dec 5, 2022

This is a feature request -- it'd be really neat to have the ability to enforce a kill switch when setting up PIA, regardless of whether you're using the Wireguard or OpenVPN options.
@Paulie420
Copy link

Paulie420 commented Sep 2, 2023
edited
Loading

Same - I tried today, setting up a killswitch with iptables rules... it was frustrating, but I know thats my fault. I looked in ca_vancouver.opvn, the remote line, and tried to come up with two sets of rules... both failed to operate as a good killswitch:

Rules 1:

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Allow local loopback device
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow local network
-A INPUT -s 10.0.0.0/24 -j ACCEPT
-A OUTPUT -d 10.0.0.0/24 -j ACCEPT

# Allow established and related incoming traffic
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow all traffic out on the VPN (tun+) interface
-A INPUT -i tun+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT

# Allow VPN connection establishment
-A OUTPUT -d 209.222.18.222/32 -j ACCEPT
-A OUTPUT -d 209.222.18.218/32 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1197 -j ACCEPT

# Reject all other outgoing traffic
-A OUTPUT -j REJECT --reject-with icmp-net-unreachable

COMMIT

Rules 2:

# Switch to root (if not already)
sudo su

# Flush all existing rules
iptables -F

# Set default policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow local loopback device
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow local network
iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
iptables -A OUTPUT -d 10.0.0.0/24 -j ACCEPT

# Allow established and related incoming traffic
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow all traffic out on the VPN (tun+) interface
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT

# Allow VPN connection establishment
iptables -A OUTPUT -d 162.216.47.162/32 -j ACCEPT
iptables -A OUTPUT -d 181.41.202.171/32 -j ACCEPT
iptables -A OUTPUT -d 181.41.202.188/32 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 1198 -j ACCEPT

# Reject all other outgoing traffic
iptables -A OUTPUT -j REJECT --reject-with icmp-net-unreachable

# Verify the rules
iptables -L -v -n

# To save the rules after testing (if everything works)
iptables-save > /etc/iptables/iptables.rules
systemctl enable iptables

I know I posted two different formats - at any rate, can anyone help me find my issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rdegges @Paulie420