Page 2 of 2

Re: Can't SSH after enabling dietpi-vpn killswitch

Posted: Mon May 31, 2021 9:15 pm
by vbarter
trendy wrote: Mon May 31, 2021 12:22 pm @MichaIng I think the current killswitch is lacking ssh for remote administration.
@vbarter edit /var/lib/dietpi/dietpi-vpn/killswitch.rules and add:

-A INPUT -s 192.168.0.0/16 -m conntrack --ctstate NEW -p tcp --dport 22 -j ACCEPT
-A INPUT -s 172.16.0.0/12 -m conntrack --ctstate NEW -p tcp --dport 22 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -m conntrack --ctstate NEW -p tcp --dport 22 -j ACCEPT


before the last line with COMMIT
Hello,

Thanks for this idea, but after making the change to that killswitch.rules file it does not save if I ever turn off the killswitch option in dietpi-vpn. I made the edit, reconnected vpn, but when I try to turn off the killswitch that rules file disappears when I check via ls command. When I re-enable the killswitch it appears a fresh, unmodified killswitch.rules is created.


Thank you @MichaIng for marking this as an potential improvement in github. I hope it can possibly be an option for SSH within local network only. For now I'm using Up and Down scripts to stop and start the specific software I want under VPN.

Re: Can't SSH after enabling dietpi-vpn killswitch

Posted: Tue Jun 01, 2021 3:30 pm
by MichaIng
Currently iptables changes would need to be done via "up" script that can be configured in dietpi-vpn as well. Add the iptables commands to add those rules individually. That script runs after the others, after the tunnel has been established and the other killswitch rules have been applied.

Re: Can't SSH after enabling dietpi-vpn killswitch

Posted: Tue Jun 01, 2021 6:42 pm
by trendy
Don't forget to prefix iptables before the -A ...

Re: Can't SSH after enabling dietpi-vpn killswitch

Posted: Sat Jun 26, 2021 8:44 pm
by MichaIng
I added it now like that: https://github.com/MichaIng/DietPi/comm ... ee92988080
As explained in the commit text, the OUTPUT rules limit possible SSH connections to LAN and VPN, so the additional filters, respectively adding the rule for each LAN IP range doesn't make a difference compared to the single rule, or do I overlook something?

Re: Can't SSH after enabling dietpi-vpn killswitch

Posted: Sat Jun 26, 2021 10:17 pm
by trendy
Looks good to me.