dietpi-nordvpn "killswitch" feature ?

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
uga
Posts: 18
Joined: Fri Mar 29, 2019 11:45 am

dietpi-nordvpn "killswitch" feature ?

Post by uga »

Hello all

I just put up the dietpi-norvpn module on my dietpi-raspberrypi3.
First thing I checked is wether it keeps the configuration and re-establishes automatically the connection upon reboot and yes, it does it 8) Good start.

What I would also like is a "killswitch" feature much like the windows client has.
The purpose of the game is making sure at least that certain processes, if not the entire machine, are "killed" if the nordvpn connection goes down, is disabled, or its process is killed.

The idea is being able to "rely" on the fact that this machine is "behind a vpn" and leave it working unattended, knowing that if the vpn "goes down" the machine (or at least some services inside it, e.g. torrent etc) "stops communicating".

Anyone has developed something already?
User avatar
MichaIng
Site Admin
Posts: 2772
Joined: Sat Nov 18, 2017 6:21 pm

Re: dietpi-nordvpn "killswitch" feature ?

Post by MichaIng »

@uga
Many thanks for your request.

Indeed a killswitch feature would be great. Currently we have this optionally commented in our WireGuard client configs, but not yet for OpenVPN/NordVPN. The following should work:

On start:

Code: Select all

iptables -I OUTPUT ! -o tun0 -m addrtype ! --dst-type LOCAL -j REJECT
ip6tables -I OUTPUT ! -o tun0 -m addrtype ! --dst-type LOCAL -j REJECT
On stop:

Code: Select all

iptables -D OUTPUT ! -o tun0 -m addrtype ! --dst-type LOCAL -j REJECT
ip6tables -D OUTPUT ! -o tun0 -m addrtype ! --dst-type LOCAL -j REJECT
So all packets that are not sent to tun0 (VPN interface) AND that are not sent to a local IP, are rejected.
uga
Posts: 18
Joined: Fri Mar 29, 2019 11:45 am

Re: dietpi-nordvpn "killswitch" feature ?

Post by uga »

:?

Let me see if I understand properly: those rules should be inserted if dietpi-nordvpn is "installed" (be nordvpn "connected" or not), and deleted if dietpi-nordvpn is uninstalled.

This way, a dietpi machine with dietpi-nordvpn on it will be able to communicate with anything outside its LAN if and only if a nordvpn connection is up.

Right?
User avatar
MichaIng
Site Admin
Posts: 2772
Joined: Sat Nov 18, 2017 6:21 pm

Re: dietpi-nordvpn "killswitch" feature ?

Post by MichaIng »

Exactly. A bid more precisely: The rejection of the packets are bound to the used network interface. tun0 is the OpenVPN interface so as a result this needs to exist and being connected.

When you apply is a question how you need it:
- You could add it as start/stop hooks to the dietpi-nordvpn.service so when manually stopping the VPN the killswitch is stopped as well.
- Or you apply as ifupdown hook, so it is always up as fast as any network interface is configured.

I am not yet 100% sure how we implement it. I think we will add a switch to the DietPi-NordVPN menu to enable/disable it from boot on via ifupdown hook.
uga
Posts: 18
Joined: Fri Mar 29, 2019 11:45 am

Re: dietpi-nordvpn "killswitch" feature ?

Post by uga »

In the meanwhile I noticed that the guys at NordVpn did develop a Linux client package, which includes a killswitch and also other features.

Why didnt you simply adopt theirs ? (question might sound silly, but it's an honest one)
User avatar
MichaIng
Site Admin
Posts: 2772
Joined: Sat Nov 18, 2017 6:21 pm

Re: dietpi-nordvpn "killswitch" feature ?

Post by MichaIng »

Hmm, I had the impression first that it is a desktop GUI based client, but it is not. It does not use OpenVPN, however is clearly more heavy weight than out solution and does not have a cmdline GUI (whiptail/dialog). But yeah it provides killswitch. Not sure if it allows to connect to the device directly, bypassing the VPN to allow e.g. web application usage?

So indeed worth it to have a closer look, many thanks for providing the info. However my aim is to make DietPi-NordVPN a more general VPN client implementation by times to implement more VPN providers and features. Since it uses OpenVPN we can freely configure it to our needs and implement such features like enabling VPN bypass for web applications and such.
Treejumping
Posts: 4
Joined: Sun Dec 06, 2020 10:03 am

Re: dietpi-nordvpn "killswitch" feature ?

Post by Treejumping »

Sorry to repoen an old post...

I am using the nordvpn app so as to utilise the wireguard connection type (the speed difference compared with ovpn being the sole reason)

I am essentially looking for either an iptable rule such as that above, or a simple script to kill a service and therefor create a de facto killswitch to deluged.

I am a linux noob, apologies.

When I add the iptable rules above (changing tun0 to nordlynx as that is the network interface name) it kills all connectivity (local and wan) i can't even ping my router.

I note that the nordlynx interface shows 'UNKNOWN' state. not up or down, but only exists as an interface when the connection is up.

So essentially i want to either run a script to kill my deluged service if the 'nordlynx' inteface does not exist, or a persistent iptable rule that will only allow WAN traffic when the nordlynx interface exists.

I had toyed with the idea of a script that only allows deluged to run when the Nordvpn service is running, but the service runs even when the actual connection has been dropped.

I've seen another thread in here that uses a cron job to ping a specific interface, but tbh it was all a bit over my head!

apologies again, i'm sure i've not explained this sufficiently well or provided specific enough information.

In summary i would like to achieve

- LAN access for samba/ssh at all times (regardless of VPN state)
- WAN access only when the network interface 'nordlynx' exists

I'm not too concerned about having to manually restart everything if the nordlynx interface is lost, my primary concern is not to end up with deluged accessing eth0 and revealing my IP. Obviously if everything could be set up to come back online automatically then that would be great.

I have also read that the dietpi wireguard has a built in killswitch, but i understand that i would need to manually configure access via wireguard and at present Nordvpn do not provide configuration files. Also i would like to retain the function of the nordvpn app where the 'best' server is selected rather than permanently choosing a single server and then writing any iptables rules for that specific ip address
Treejumping
Posts: 4
Joined: Sun Dec 06, 2020 10:03 am

Re: dietpi-nordvpn "killswitch" feature ?

Post by Treejumping »

ok apologies for the double post (and indeed the general quality of my first post).

Anyway, i think i have successfully managed to modify a script posted by joulinar in another post to suit my needs. basically ping google through the inteface set up by the Nord app for wireguard (nordlynx).

seems straightforward enough. i'm dumping it in cron minutely (if i wanted it more regularly i suppose i could repeat the code with sleep 15 commands between each, though i'm not sure how resource intensive this would be...

Code: Select all

#!/bin/sh

# Check vpn-tunnel "nordlynx" and ping google DNS if internet connection work
if  [ "$(ping -I nordlynx -q -c 1 -W 1 8.8.8.8 | grep '0% packet loss' )" != "" ]; then
        
# if-up commands	
	echo "vpn up"
else
#if-down commands
       echo "vpn down"
fi
thanks
User avatar
Joulinar
Posts: 4136
Joined: Sat Nov 16, 2019 12:49 am

Re: dietpi-nordvpn "killswitch" feature ?

Post by Joulinar »

thx for sharing your solution.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Parkour_Lama
Posts: 25
Joined: Sat Sep 12, 2020 2:02 pm

Re: dietpi-nordvpn "killswitch" feature ?

Post by Parkour_Lama »

Hello,

Apologies for going off-topic here, but I found this topic and had a question. For those using nordvpn on a Raspberry Pi, is it stable for you?

I used to run nordvpn on my Pi 24/7 and after 1-2 days, nordvpn would completely "freeze", or stop working. It would be eternally reconnecting, and cut of all access to the internet except whitelisted domains and ports.

Code: Select all

nordvpn disconnect, reconnect
etc. nothing would work. Only way to fix it would be to kill the

Code: Select all

nordvpnd.service
and restart it. Is this with just me?
Post Reply