Force system to stick to VPN only with *NIX iptables script
In order to prevent this from happening, you may use iptables on Linux/*NIX as a form of ‘killswitch’.
OpenVPN is quite sophisticated in what data it will give you, and at what stages of its connection process you can get at it. Usefully, it takes the following argument:
up-script.sh should contain shell code to be run just after the routing table has been updated, but before the connection is fully established. OpenVPN sets the environment variable $trusted_ip with the public IP address of the server it just connected to.
Here is the content of the up-script.sh:
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -s $trusted_ip -j ACCEPT
iptables -A OUTPUT -d $trusted_ip -j ACCEPT
#Add rules to allow things like SSH access, or any other necessary iptables rules here.
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
#Put code here to launch applications that should only be started post-leak protection.
Here is how you should start the VPN:
openvpn --config /path/to/server.conf --route-up /path/to/up-script.sh --daemon --log /path/to/vpn.log
The –daemon flag makes OpenVPN run in the background, and vpn.log will contain log information.
Voilà, that's pretty much about it. Enjoy!
Related Knowledgebase Articles