Disable internet access only if its accessed via a VPN on Ubuntu 17
Clash Royale CLAN TAG#URR8PPP up vote
2
down vote
favorite
Is there a way to prevent my system from using the regular internet and only restrict it to using a VPN only on Ubuntu 17? FYI, I already setup protonvpn via the .ovpn files and currently just connect to it by turning it on with the dropdown in the menu.
I want to force all connections to only use VPN, and if the vpn isn't accessible, it should prevent all types of connections to the internet.
I know it has something to do with setting the routes on the IPv4 section, but I'm not sure what.
networking security vpn
asked Mar 5 at 15:25
Patoshi パトシ
56541324
add a comment |Â
up vote
2
down vote
favorite
Is there a way to prevent my system from using the regular internet and only restrict it to using a VPN only on Ubuntu 17? FYI, I already setup protonvpn via the .ovpn files and currently just connect to it by turning it on with the dropdown in the menu.
I want to force all connections to only use VPN, and if the vpn isn't accessible, it should prevent all types of connections to the internet.
I know it has something to do with setting the routes on the IPv4 section, but I'm not sure what.
networking security vpn
asked Mar 5 at 15:25
Patoshi パトシ
56541324
I think it is a bit difficult to force the system to not use the internet completely, if you are not in the VPN. Any solution that completely separates you from the internet, will also separate you from your VPN provider... Normally these providers have multiple hops with dynamic IPs, so disabling DNS seems counter productive... maybe if you have iptables rules that blackwhole all your traffic.. and these would be torned off/on with a script that also handles your VPN...
– Robert Riedl
Mar 12 at 8:59
Maybe it would be more feasible to have a live banner on your desktop that tells you if you are in VPN, or not, so that you don't accidentally surf the web if the VPN is not on.
– Robert Riedl
Mar 12 at 9:00
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
Is there a way to prevent my system from using the regular internet and only restrict it to using a VPN only on Ubuntu 17? FYI, I already setup protonvpn via the .ovpn files and currently just connect to it by turning it on with the dropdown in the menu.
I want to force all connections to only use VPN, and if the vpn isn't accessible, it should prevent all types of connections to the internet.
I know it has something to do with setting the routes on the IPv4 section, but I'm not sure what.
networking security vpn
asked Mar 5 at 15:25
Patoshi パトシ
56541324
Is there a way to prevent my system from using the regular internet and only restrict it to using a VPN only on Ubuntu 17? FYI, I already setup protonvpn via the .ovpn files and currently just connect to it by turning it on with the dropdown in the menu.
I want to force all connections to only use VPN, and if the vpn isn't accessible, it should prevent all types of connections to the internet.
I know it has something to do with setting the routes on the IPv4 section, but I'm not sure what.
networking security vpn
networking security vpn
asked Mar 5 at 15:25
Patoshi パトシ
56541324
asked Mar 5 at 15:25
Patoshi パトシ
56541324
edited Mar 6 at 15:24
asked Mar 5 at 15:25
Patoshi パトシ
56541324
asked Mar 5 at 15:25
Patoshi パトシ
56541324
asked Mar 5 at 15:25
Patoshi パトシ
56541324
56541324
I think it is a bit difficult to force the system to not use the internet completely, if you are not in the VPN. Any solution that completely separates you from the internet, will also separate you from your VPN provider... Normally these providers have multiple hops with dynamic IPs, so disabling DNS seems counter productive... maybe if you have iptables rules that blackwhole all your traffic.. and these would be torned off/on with a script that also handles your VPN...
– Robert Riedl
Mar 12 at 8:59
Maybe it would be more feasible to have a live banner on your desktop that tells you if you are in VPN, or not, so that you don't accidentally surf the web if the VPN is not on.
– Robert Riedl
Mar 12 at 9:00
add a comment |Â
I think it is a bit difficult to force the system to not use the internet completely, if you are not in the VPN. Any solution that completely separates you from the internet, will also separate you from your VPN provider... Normally these providers have multiple hops with dynamic IPs, so disabling DNS seems counter productive... maybe if you have iptables rules that blackwhole all your traffic.. and these would be torned off/on with a script that also handles your VPN...
– Robert Riedl
Mar 12 at 8:59
Maybe it would be more feasible to have a live banner on your desktop that tells you if you are in VPN, or not, so that you don't accidentally surf the web if the VPN is not on.
– Robert Riedl
Mar 12 at 9:00
I think it is a bit difficult to force the system to not use the internet completely, if you are not in the VPN. Any solution that completely separates you from the internet, will also separate you from your VPN provider... Normally these providers have multiple hops with dynamic IPs, so disabling DNS seems counter productive... maybe if you have iptables rules that blackwhole all your traffic.. and these would be torned off/on with a script that also handles your VPN...
– Robert Riedl
Mar 12 at 8:59
I think it is a bit difficult to force the system to not use the internet completely, if you are not in the VPN. Any solution that completely separates you from the internet, will also separate you from your VPN provider... Normally these providers have multiple hops with dynamic IPs, so disabling DNS seems counter productive... maybe if you have iptables rules that blackwhole all your traffic.. and these would be torned off/on with a script that also handles your VPN...
– Robert Riedl
Mar 12 at 8:59
Maybe it would be more feasible to have a live banner on your desktop that tells you if you are in VPN, or not, so that you don't accidentally surf the web if the VPN is not on.
– Robert Riedl
Mar 12 at 9:00
Maybe it would be more feasible to have a live banner on your desktop that tells you if you are in VPN, or not, so that you don't accidentally surf the web if the VPN is not on.
– Robert Riedl
Mar 12 at 9:00
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
5
down vote
The solution is to use iptables to deny all outgoing traffic except when the traffic passes through the tunnel.
If the tunnel is broken, access to the Internet is no longer possible until the tunnel is established again.
I assume that you’re using TUN-based routing to connect to the OpenVPN server and that you’re using the redirect-gateway OpenVPN client option.
Create a file anywhere (eg /root/iptables.vpn), you have to change [VPN_IP] and [VPN_PORT] with the ip:port of the vpn server
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Set a default DROP policy.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow basic INPUT traffic.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# Allow basic OUTPUT traffic.
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
# Allow traffic to the OpenVPN server and via the tunnel.
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -p udp -m udp -d [VPN_IP] --dport [VPN_PORT] -j ACCEPT
# Reject everything else.
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
After the connection with vpn server is established you have to enable the rules:
iptables-restore < /root/iptables.vpn
All traffic now will be routed trough the tunnel.
EDIT
As the author write he runs the connection using a network manager like approach, so the problem is that he does not know the remote ip of the server, as it is grabbed from a pool. I think (but for now I have not the time to test this solution) that one approach may be:
- Modify the previously created file (in our example /root/iptables.vpn), replacing [VPN_IP] with $route_vpn_gateway and [VPN_PORT] with $remote_port
- Create a script (eg /etc/openvpn/route.sh):
while read line
do eval "echo $line"
done < /root/iptables.vpn | /sbin/iptables-restore -v
(https://stackoverflow.com/questions/5289665/use-external-file-with-variables)
- Modify (and then reload) your .openvpn file appending:
script-security 2
/etc/openvpn/route.sh
(How do I run a script after OpenVPN has connected successfully?)
The script will run every time the connection to the vpn is established.
As mentioned I've not tested this...
Remember to flush your iptables after closing the vpn connection
answered Mar 12 at 11:03
LilloX
1,511313
1
but my vpn server ip changes all the time as I use protonvpn.com as my service provider.
– Patoshi パトシ
Mar 12 at 15:42
This doesn't work with variable-upstream-server-addresses VPN hosts.
– Thomas Ward♦
Mar 12 at 17:22
add a comment |Â
up vote
1
down vote
Lots of ways, but it depends on which particular VPN software you are using.
You can prevent the system from accessing the network when not on VPN by editing the interface configuration, either in /etc/network/interfaces or (more likely if you are using a desktop system) from the NetworkManager. Open the NM, select "configure networks" or some such, then edit the options for how each interface gets its address to have static routes that do not include a default route (or add a default route to blackhole). Then set up your VPN to give you a default route via that when it comes up.
Without more details about your setup, this is about as much as I can say.
answered Mar 5 at 17:17
JayEye
723315
I'm using protonvpn and have it setup via openvpn. Currently when I want to use the vpn, i just click vpn and select my region from the top menu on ubuntu 17.
– Patoshi パトシ
Mar 5 at 19:43
prntscr.com/inf417 -- do i change the DNS there?
– Patoshi パトシ
Mar 6 at 4:10
add a comment |Â
up vote
0
down vote
Yes. Use ufw.
When you connect to VPN, it creates a virtual device. Assuming that your ethernet name is enp3s0 and your VPN server listens to port 1194, use those commands.
# Default policies
ufw default deny incoming
ufw default deny outgoing
# Openvpn interface (adjust interface accordingly to your configuration)
ufw allow in on tun0
ufw allow out on tun0
# Local Network (adjust ip accordingly to your configuration)
ufw allow in on enp3s0 from 192.168.1.0/24
ufw allow out on enp3s0 to 192.168.1.0/24
# Openvpn (adjust port accordingly to your configuration)
ufw allow in on enp3s0 from any port 1194
ufw allow out on enp3s0 to any port 1194
If you connecto server by name, not by IP address, you have to allow DNS leak outside of VPN. Add those commamds:
# DNS
ufw allow in from any to any port 53
ufw allow out from any to any port 53
Then use ufw enable to turn those rules on. ufw disable if something goes wrong or you want direct access.
Courtesy of ArchWiki.
answered Mar 15 at 12:39
Barafu Albino
4,79311732
I'm using protonvpn, how do I find out what ports its even using so I can open it.
– Patoshi パトシ
Mar 15 at 14:00
Its 1194. If you have .ovpn file, just read it.
– Barafu Albino
Mar 16 at 14:25
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
5
down vote
The solution is to use iptables to deny all outgoing traffic except when the traffic passes through the tunnel.
If the tunnel is broken, access to the Internet is no longer possible until the tunnel is established again.
I assume that you’re using TUN-based routing to connect to the OpenVPN server and that you’re using the redirect-gateway OpenVPN client option.
Create a file anywhere (eg /root/iptables.vpn), you have to change [VPN_IP] and [VPN_PORT] with the ip:port of the vpn server
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Set a default DROP policy.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow basic INPUT traffic.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# Allow basic OUTPUT traffic.
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
# Allow traffic to the OpenVPN server and via the tunnel.
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -p udp -m udp -d [VPN_IP] --dport [VPN_PORT] -j ACCEPT
# Reject everything else.
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
After the connection with vpn server is established you have to enable the rules:
iptables-restore < /root/iptables.vpn
All traffic now will be routed trough the tunnel.
EDIT
As the author write he runs the connection using a network manager like approach, so the problem is that he does not know the remote ip of the server, as it is grabbed from a pool. I think (but for now I have not the time to test this solution) that one approach may be:
- Modify the previously created file (in our example /root/iptables.vpn), replacing [VPN_IP] with $route_vpn_gateway and [VPN_PORT] with $remote_port
- Create a script (eg /etc/openvpn/route.sh):
while read line
do eval "echo $line"
done < /root/iptables.vpn | /sbin/iptables-restore -v
(https://stackoverflow.com/questions/5289665/use-external-file-with-variables)
- Modify (and then reload) your .openvpn file appending:
script-security 2
/etc/openvpn/route.sh
(How do I run a script after OpenVPN has connected successfully?)
The script will run every time the connection to the vpn is established.
As mentioned I've not tested this...
Remember to flush your iptables after closing the vpn connection
answered Mar 12 at 11:03
LilloX
1,511313
1
but my vpn server ip changes all the time as I use protonvpn.com as my service provider.
– Patoshi パトシ
Mar 12 at 15:42
This doesn't work with variable-upstream-server-addresses VPN hosts.
– Thomas Ward♦
Mar 12 at 17:22
add a comment |Â
up vote
5
down vote
The solution is to use iptables to deny all outgoing traffic except when the traffic passes through the tunnel.
If the tunnel is broken, access to the Internet is no longer possible until the tunnel is established again.
I assume that you’re using TUN-based routing to connect to the OpenVPN server and that you’re using the redirect-gateway OpenVPN client option.
Create a file anywhere (eg /root/iptables.vpn), you have to change [VPN_IP] and [VPN_PORT] with the ip:port of the vpn server
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Set a default DROP policy.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow basic INPUT traffic.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# Allow basic OUTPUT traffic.
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
# Allow traffic to the OpenVPN server and via the tunnel.
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -p udp -m udp -d [VPN_IP] --dport [VPN_PORT] -j ACCEPT
# Reject everything else.
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
After the connection with vpn server is established you have to enable the rules:
iptables-restore < /root/iptables.vpn
All traffic now will be routed trough the tunnel.
EDIT
As the author write he runs the connection using a network manager like approach, so the problem is that he does not know the remote ip of the server, as it is grabbed from a pool. I think (but for now I have not the time to test this solution) that one approach may be:
- Modify the previously created file (in our example /root/iptables.vpn), replacing [VPN_IP] with $route_vpn_gateway and [VPN_PORT] with $remote_port
- Create a script (eg /etc/openvpn/route.sh):
while read line
do eval "echo $line"
done < /root/iptables.vpn | /sbin/iptables-restore -v
(https://stackoverflow.com/questions/5289665/use-external-file-with-variables)
- Modify (and then reload) your .openvpn file appending:
script-security 2
/etc/openvpn/route.sh
(How do I run a script after OpenVPN has connected successfully?)
The script will run every time the connection to the vpn is established.
As mentioned I've not tested this...
Remember to flush your iptables after closing the vpn connection
answered Mar 12 at 11:03
LilloX
1,511313
1
but my vpn server ip changes all the time as I use protonvpn.com as my service provider.
– Patoshi パトシ
Mar 12 at 15:42
This doesn't work with variable-upstream-server-addresses VPN hosts.
– Thomas Ward♦
Mar 12 at 17:22
add a comment |Â
up vote
5
down vote
up vote
5
down vote
The solution is to use iptables to deny all outgoing traffic except when the traffic passes through the tunnel.
If the tunnel is broken, access to the Internet is no longer possible until the tunnel is established again.
I assume that you’re using TUN-based routing to connect to the OpenVPN server and that you’re using the redirect-gateway OpenVPN client option.
Create a file anywhere (eg /root/iptables.vpn), you have to change [VPN_IP] and [VPN_PORT] with the ip:port of the vpn server
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Set a default DROP policy.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow basic INPUT traffic.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# Allow basic OUTPUT traffic.
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
# Allow traffic to the OpenVPN server and via the tunnel.
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -p udp -m udp -d [VPN_IP] --dport [VPN_PORT] -j ACCEPT
# Reject everything else.
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
After the connection with vpn server is established you have to enable the rules:
iptables-restore < /root/iptables.vpn
All traffic now will be routed trough the tunnel.
EDIT
As the author write he runs the connection using a network manager like approach, so the problem is that he does not know the remote ip of the server, as it is grabbed from a pool. I think (but for now I have not the time to test this solution) that one approach may be:
- Modify the previously created file (in our example /root/iptables.vpn), replacing [VPN_IP] with $route_vpn_gateway and [VPN_PORT] with $remote_port
- Create a script (eg /etc/openvpn/route.sh):
while read line
do eval "echo $line"
done < /root/iptables.vpn | /sbin/iptables-restore -v
(https://stackoverflow.com/questions/5289665/use-external-file-with-variables)
- Modify (and then reload) your .openvpn file appending:
script-security 2
/etc/openvpn/route.sh
(How do I run a script after OpenVPN has connected successfully?)
The script will run every time the connection to the vpn is established.
As mentioned I've not tested this...
Remember to flush your iptables after closing the vpn connection
answered Mar 12 at 11:03
LilloX
1,511313
The solution is to use iptables to deny all outgoing traffic except when the traffic passes through the tunnel.
If the tunnel is broken, access to the Internet is no longer possible until the tunnel is established again.
I assume that you’re using TUN-based routing to connect to the OpenVPN server and that you’re using the redirect-gateway OpenVPN client option.
Create a file anywhere (eg /root/iptables.vpn), you have to change [VPN_IP] and [VPN_PORT] with the ip:port of the vpn server
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Set a default DROP policy.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow basic INPUT traffic.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# Allow basic OUTPUT traffic.
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
# Allow traffic to the OpenVPN server and via the tunnel.
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -p udp -m udp -d [VPN_IP] --dport [VPN_PORT] -j ACCEPT
# Reject everything else.
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
After the connection with vpn server is established you have to enable the rules:
iptables-restore < /root/iptables.vpn
All traffic now will be routed trough the tunnel.
EDIT
As the author write he runs the connection using a network manager like approach, so the problem is that he does not know the remote ip of the server, as it is grabbed from a pool. I think (but for now I have not the time to test this solution) that one approach may be:
- Modify the previously created file (in our example /root/iptables.vpn), replacing [VPN_IP] with $route_vpn_gateway and [VPN_PORT] with $remote_port
- Create a script (eg /etc/openvpn/route.sh):
while read line
do eval "echo $line"
done < /root/iptables.vpn | /sbin/iptables-restore -v
(https://stackoverflow.com/questions/5289665/use-external-file-with-variables)
- Modify (and then reload) your .openvpn file appending:
script-security 2
/etc/openvpn/route.sh
(How do I run a script after OpenVPN has connected successfully?)
The script will run every time the connection to the vpn is established.
As mentioned I've not tested this...
Remember to flush your iptables after closing the vpn connection
answered Mar 12 at 11:03
LilloX
1,511313
edited Mar 12 at 17:19
answered Mar 12 at 11:03
LilloX
1,511313
answered Mar 12 at 11:03
LilloX
1,511313
answered Mar 12 at 11:03
LilloX
1,511313
1,511313
1
but my vpn server ip changes all the time as I use protonvpn.com as my service provider.
– Patoshi パトシ
Mar 12 at 15:42
This doesn't work with variable-upstream-server-addresses VPN hosts.
– Thomas Ward♦
Mar 12 at 17:22
add a comment |Â
1
but my vpn server ip changes all the time as I use protonvpn.com as my service provider.
– Patoshi パトシ
Mar 12 at 15:42
This doesn't work with variable-upstream-server-addresses VPN hosts.
– Thomas Ward♦
Mar 12 at 17:22
1
1
but my vpn server ip changes all the time as I use protonvpn.com as my service provider.
– Patoshi パトシ
Mar 12 at 15:42
but my vpn server ip changes all the time as I use protonvpn.com as my service provider.
– Patoshi パトシ
Mar 12 at 15:42
This doesn't work with variable-upstream-server-addresses VPN hosts.
– Thomas Ward♦
Mar 12 at 17:22
This doesn't work with variable-upstream-server-addresses VPN hosts.
– Thomas Ward♦
Mar 12 at 17:22
add a comment |Â
up vote
1
down vote
Lots of ways, but it depends on which particular VPN software you are using.
You can prevent the system from accessing the network when not on VPN by editing the interface configuration, either in /etc/network/interfaces or (more likely if you are using a desktop system) from the NetworkManager. Open the NM, select "configure networks" or some such, then edit the options for how each interface gets its address to have static routes that do not include a default route (or add a default route to blackhole). Then set up your VPN to give you a default route via that when it comes up.
Without more details about your setup, this is about as much as I can say.
answered Mar 5 at 17:17
JayEye
723315
I'm using protonvpn and have it setup via openvpn. Currently when I want to use the vpn, i just click vpn and select my region from the top menu on ubuntu 17.
– Patoshi パトシ
Mar 5 at 19:43
prntscr.com/inf417 -- do i change the DNS there?
– Patoshi パトシ
Mar 6 at 4:10
add a comment |Â
up vote
1
down vote
Lots of ways, but it depends on which particular VPN software you are using.
You can prevent the system from accessing the network when not on VPN by editing the interface configuration, either in /etc/network/interfaces or (more likely if you are using a desktop system) from the NetworkManager. Open the NM, select "configure networks" or some such, then edit the options for how each interface gets its address to have static routes that do not include a default route (or add a default route to blackhole). Then set up your VPN to give you a default route via that when it comes up.
Without more details about your setup, this is about as much as I can say.
answered Mar 5 at 17:17
JayEye
723315
I'm using protonvpn and have it setup via openvpn. Currently when I want to use the vpn, i just click vpn and select my region from the top menu on ubuntu 17.
– Patoshi パトシ
Mar 5 at 19:43
prntscr.com/inf417 -- do i change the DNS there?
– Patoshi パトシ
Mar 6 at 4:10
add a comment |Â
up vote
1
down vote
up vote
1
down vote
Lots of ways, but it depends on which particular VPN software you are using.
You can prevent the system from accessing the network when not on VPN by editing the interface configuration, either in /etc/network/interfaces or (more likely if you are using a desktop system) from the NetworkManager. Open the NM, select "configure networks" or some such, then edit the options for how each interface gets its address to have static routes that do not include a default route (or add a default route to blackhole). Then set up your VPN to give you a default route via that when it comes up.
Without more details about your setup, this is about as much as I can say.
answered Mar 5 at 17:17
JayEye
723315
Lots of ways, but it depends on which particular VPN software you are using.
You can prevent the system from accessing the network when not on VPN by editing the interface configuration, either in /etc/network/interfaces or (more likely if you are using a desktop system) from the NetworkManager. Open the NM, select "configure networks" or some such, then edit the options for how each interface gets its address to have static routes that do not include a default route (or add a default route to blackhole). Then set up your VPN to give you a default route via that when it comes up.
Without more details about your setup, this is about as much as I can say.
answered Mar 5 at 17:17
JayEye
723315
answered Mar 5 at 17:17
JayEye
723315
answered Mar 5 at 17:17
JayEye
723315
answered Mar 5 at 17:17
JayEye
723315
723315
I'm using protonvpn and have it setup via openvpn. Currently when I want to use the vpn, i just click vpn and select my region from the top menu on ubuntu 17.
– Patoshi パトシ
Mar 5 at 19:43
prntscr.com/inf417 -- do i change the DNS there?
– Patoshi パトシ
Mar 6 at 4:10
add a comment |Â
I'm using protonvpn and have it setup via openvpn. Currently when I want to use the vpn, i just click vpn and select my region from the top menu on ubuntu 17.
– Patoshi パトシ
Mar 5 at 19:43
prntscr.com/inf417 -- do i change the DNS there?
– Patoshi パトシ
Mar 6 at 4:10
I'm using protonvpn and have it setup via openvpn. Currently when I want to use the vpn, i just click vpn and select my region from the top menu on ubuntu 17.
– Patoshi パトシ
Mar 5 at 19:43
I'm using protonvpn and have it setup via openvpn. Currently when I want to use the vpn, i just click vpn and select my region from the top menu on ubuntu 17.
– Patoshi パトシ
Mar 5 at 19:43
prntscr.com/inf417 -- do i change the DNS there?
– Patoshi パトシ
Mar 6 at 4:10
prntscr.com/inf417 -- do i change the DNS there?
– Patoshi パトシ
Mar 6 at 4:10
add a comment |Â
up vote
0
down vote
Yes. Use ufw.
When you connect to VPN, it creates a virtual device. Assuming that your ethernet name is enp3s0 and your VPN server listens to port 1194, use those commands.
# Default policies
ufw default deny incoming
ufw default deny outgoing
# Openvpn interface (adjust interface accordingly to your configuration)
ufw allow in on tun0
ufw allow out on tun0
# Local Network (adjust ip accordingly to your configuration)
ufw allow in on enp3s0 from 192.168.1.0/24
ufw allow out on enp3s0 to 192.168.1.0/24
# Openvpn (adjust port accordingly to your configuration)
ufw allow in on enp3s0 from any port 1194
ufw allow out on enp3s0 to any port 1194
If you connecto server by name, not by IP address, you have to allow DNS leak outside of VPN. Add those commamds:
# DNS
ufw allow in from any to any port 53
ufw allow out from any to any port 53
Then use ufw enable to turn those rules on. ufw disable if something goes wrong or you want direct access.
Courtesy of ArchWiki.
answered Mar 15 at 12:39
Barafu Albino
4,79311732
I'm using protonvpn, how do I find out what ports its even using so I can open it.
– Patoshi パトシ
Mar 15 at 14:00
Its 1194. If you have .ovpn file, just read it.
– Barafu Albino
Mar 16 at 14:25
add a comment |Â
up vote
0
down vote
Yes. Use ufw.
When you connect to VPN, it creates a virtual device. Assuming that your ethernet name is enp3s0 and your VPN server listens to port 1194, use those commands.
# Default policies
ufw default deny incoming
ufw default deny outgoing
# Openvpn interface (adjust interface accordingly to your configuration)
ufw allow in on tun0
ufw allow out on tun0
# Local Network (adjust ip accordingly to your configuration)
ufw allow in on enp3s0 from 192.168.1.0/24
ufw allow out on enp3s0 to 192.168.1.0/24
# Openvpn (adjust port accordingly to your configuration)
ufw allow in on enp3s0 from any port 1194
ufw allow out on enp3s0 to any port 1194
If you connecto server by name, not by IP address, you have to allow DNS leak outside of VPN. Add those commamds:
# DNS
ufw allow in from any to any port 53
ufw allow out from any to any port 53
Then use ufw enable to turn those rules on. ufw disable if something goes wrong or you want direct access.
Courtesy of ArchWiki.
answered Mar 15 at 12:39
Barafu Albino
4,79311732
I'm using protonvpn, how do I find out what ports its even using so I can open it.
– Patoshi パトシ
Mar 15 at 14:00
Its 1194. If you have .ovpn file, just read it.
– Barafu Albino
Mar 16 at 14:25
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Yes. Use ufw.
When you connect to VPN, it creates a virtual device. Assuming that your ethernet name is enp3s0 and your VPN server listens to port 1194, use those commands.
# Default policies
ufw default deny incoming
ufw default deny outgoing
# Openvpn interface (adjust interface accordingly to your configuration)
ufw allow in on tun0
ufw allow out on tun0
# Local Network (adjust ip accordingly to your configuration)
ufw allow in on enp3s0 from 192.168.1.0/24
ufw allow out on enp3s0 to 192.168.1.0/24
# Openvpn (adjust port accordingly to your configuration)
ufw allow in on enp3s0 from any port 1194
ufw allow out on enp3s0 to any port 1194
If you connecto server by name, not by IP address, you have to allow DNS leak outside of VPN. Add those commamds:
# DNS
ufw allow in from any to any port 53
ufw allow out from any to any port 53
Then use ufw enable to turn those rules on. ufw disable if something goes wrong or you want direct access.
Courtesy of ArchWiki.
answered Mar 15 at 12:39
Barafu Albino
4,79311732
Yes. Use ufw.
When you connect to VPN, it creates a virtual device. Assuming that your ethernet name is enp3s0 and your VPN server listens to port 1194, use those commands.
# Default policies
ufw default deny incoming
ufw default deny outgoing
# Openvpn interface (adjust interface accordingly to your configuration)
ufw allow in on tun0
ufw allow out on tun0
# Local Network (adjust ip accordingly to your configuration)
ufw allow in on enp3s0 from 192.168.1.0/24
ufw allow out on enp3s0 to 192.168.1.0/24
# Openvpn (adjust port accordingly to your configuration)
ufw allow in on enp3s0 from any port 1194
ufw allow out on enp3s0 to any port 1194
If you connecto server by name, not by IP address, you have to allow DNS leak outside of VPN. Add those commamds:
# DNS
ufw allow in from any to any port 53
ufw allow out from any to any port 53
Then use ufw enable to turn those rules on. ufw disable if something goes wrong or you want direct access.
Courtesy of ArchWiki.
answered Mar 15 at 12:39
Barafu Albino
4,79311732
answered Mar 15 at 12:39
Barafu Albino
4,79311732
answered Mar 15 at 12:39
Barafu Albino
4,79311732
answered Mar 15 at 12:39
Barafu Albino
4,79311732
4,79311732
I'm using protonvpn, how do I find out what ports its even using so I can open it.
– Patoshi パトシ
Mar 15 at 14:00
Its 1194. If you have .ovpn file, just read it.
– Barafu Albino
Mar 16 at 14:25
add a comment |Â
I'm using protonvpn, how do I find out what ports its even using so I can open it.
– Patoshi パトシ
Mar 15 at 14:00
Its 1194. If you have .ovpn file, just read it.
– Barafu Albino
Mar 16 at 14:25
I'm using protonvpn, how do I find out what ports its even using so I can open it.
– Patoshi パトシ
Mar 15 at 14:00
I'm using protonvpn, how do I find out what ports its even using so I can open it.
– Patoshi パトシ
Mar 15 at 14:00
Its 1194. If you have .ovpn file, just read it.
– Barafu Albino
Mar 16 at 14:25
Its 1194. If you have .ovpn file, just read it.
– Barafu Albino
Mar 16 at 14:25
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1012099%2fdisable-internet-access-only-if-its-accessed-via-a-vpn-on-ubuntu-17%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
I think it is a bit difficult to force the system to not use the internet completely, if you are not in the VPN. Any solution that completely separates you from the internet, will also separate you from your VPN provider... Normally these providers have multiple hops with dynamic IPs, so disabling DNS seems counter productive... maybe if you have iptables rules that blackwhole all your traffic.. and these would be torned off/on with a script that also handles your VPN...
– Robert Riedl
Mar 12 at 8:59
Maybe it would be more feasible to have a live banner on your desktop that tells you if you are in VPN, or not, so that you don't accidentally surf the web if the VPN is not on.
– Robert Riedl
Mar 12 at 9:00