dietpi-nordvpn "killswitch" feature ?

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
Post Reply
uga
Posts: 16
Joined: Fri Mar 29, 2019 11:45 am

dietpi-nordvpn "killswitch" feature ?

Post by uga »

Hello all

I just put up the dietpi-norvpn module on my dietpi-raspberrypi3.
First thing I checked is wether it keeps the configuration and re-establishes automatically the connection upon reboot and yes, it does it 8) Good start.

What I would also like is a "killswitch" feature much like the windows client has.
The purpose of the game is making sure at least that certain processes, if not the entire machine, are "killed" if the nordvpn connection goes down, is disabled, or its process is killed.

The idea is being able to "rely" on the fact that this machine is "behind a vpn" and leave it working unattended, knowing that if the vpn "goes down" the machine (or at least some services inside it, e.g. torrent etc) "stops communicating".

Anyone has developed something already?
User avatar
MichaIng
Site Admin
Posts: 2293
Joined: Sat Nov 18, 2017 6:21 pm

Re: dietpi-nordvpn "killswitch" feature ?

Post by MichaIng »

@uga
Many thanks for your request.

Indeed a killswitch feature would be great. Currently we have this optionally commented in our WireGuard client configs, but not yet for OpenVPN/NordVPN. The following should work:

On start:

Code: Select all

iptables -I OUTPUT ! -o tun0 -m addrtype ! --dst-type LOCAL -j REJECT
ip6tables -I OUTPUT ! -o tun0 -m addrtype ! --dst-type LOCAL -j REJECT
On stop:

Code: Select all

iptables -D OUTPUT ! -o tun0 -m addrtype ! --dst-type LOCAL -j REJECT
ip6tables -D OUTPUT ! -o tun0 -m addrtype ! --dst-type LOCAL -j REJECT
So all packets that are not sent to tun0 (VPN interface) AND that are not sent to a local IP, are rejected.
uga
Posts: 16
Joined: Fri Mar 29, 2019 11:45 am

Re: dietpi-nordvpn "killswitch" feature ?

Post by uga »

:?

Let me see if I understand properly: those rules should be inserted if dietpi-nordvpn is "installed" (be nordvpn "connected" or not), and deleted if dietpi-nordvpn is uninstalled.

This way, a dietpi machine with dietpi-nordvpn on it will be able to communicate with anything outside its LAN if and only if a nordvpn connection is up.

Right?
User avatar
MichaIng
Site Admin
Posts: 2293
Joined: Sat Nov 18, 2017 6:21 pm

Re: dietpi-nordvpn "killswitch" feature ?

Post by MichaIng »

Exactly. A bid more precisely: The rejection of the packets are bound to the used network interface. tun0 is the OpenVPN interface so as a result this needs to exist and being connected.

When you apply is a question how you need it:
- You could add it as start/stop hooks to the dietpi-nordvpn.service so when manually stopping the VPN the killswitch is stopped as well.
- Or you apply as ifupdown hook, so it is always up as fast as any network interface is configured.

I am not yet 100% sure how we implement it. I think we will add a switch to the DietPi-NordVPN menu to enable/disable it from boot on via ifupdown hook.
uga
Posts: 16
Joined: Fri Mar 29, 2019 11:45 am

Re: dietpi-nordvpn "killswitch" feature ?

Post by uga »

In the meanwhile I noticed that the guys at NordVpn did develop a Linux client package, which includes a killswitch and also other features.

Why didnt you simply adopt theirs ? (question might sound silly, but it's an honest one)
User avatar
MichaIng
Site Admin
Posts: 2293
Joined: Sat Nov 18, 2017 6:21 pm

Re: dietpi-nordvpn "killswitch" feature ?

Post by MichaIng »

Hmm, I had the impression first that it is a desktop GUI based client, but it is not. It does not use OpenVPN, however is clearly more heavy weight than out solution and does not have a cmdline GUI (whiptail/dialog). But yeah it provides killswitch. Not sure if it allows to connect to the device directly, bypassing the VPN to allow e.g. web application usage?

So indeed worth it to have a closer look, many thanks for providing the info. However my aim is to make DietPi-NordVPN a more general VPN client implementation by times to implement more VPN providers and features. Since it uses OpenVPN we can freely configure it to our needs and implement such features like enabling VPN bypass for web applications and such.
Post Reply