Skip to content

Instantly share code, notes, and snippets.

@alvarovm

alvarovm/openvpn-kill-switch-raspberry-pi-zero.md

Last active February 11, 2023 14:01
Show Gist options
  • Save alvarovm/776663a4e0a9c3314550fe2c827db65d to your computer and use it in GitHub Desktop.
Save alvarovm/776663a4e0a9c3314550fe2c827db65d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
openvpn-kill-switch-raspberry-pi-zero.md

How to set up a KillSwitch with OpenVPN for a Raspberry Pi Zero W

Having a KillSwitch is important when you are using an VPN, you also make sure that in case the openvpn service stops working your connections and other services do not use regular a trackable ISP's IP.

The follow instruction are meant to use UFW to config a firewall that prevents leakings.

Firewall set up

sudo apt install ufw

ufw disable
ufw default deny incoming
ufw default deny outgoing
ufw allow in on tun0
ufw allow out on tun0
ufw allow in on any from 192.168.0.0/24 # <-- Intranet network
ufw allow out on any from 192.168.0.0/24
ufw allow in on any from 127.0.0.1
ufw allow out on any from 127.0.0.1
ufw allow in from any to any port 1194 #<-- port needed for openvpn
ufw allow out from any to any port 1194
ufw allow in from any to any port 53 #<-- port needed for DNS
ufw allow out from any to any port 53
ufw enable

Then ufw service should be enabled sudo systemctl enable ufw

Check UFW setting with:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW IN    192.168.0.0/24            
Anywhere                   ALLOW IN    127.0.0.1                 
Anywhere on tun0           ALLOW IN    Anywhere                  
53                         ALLOW IN    Anywhere                  
Anywhere on any            ALLOW IN    192.168.0.0/24            
Anywhere on any            ALLOW IN    127.0.0.1                 
1194                       ALLOW IN    Anywhere                  
Anywhere (v6) on tun0      ALLOW IN    Anywhere (v6)             
53 (v6)                    ALLOW IN    Anywhere (v6)             
1194 (v6)                  ALLOW IN    Anywhere (v6)             

Anywhere                   ALLOW OUT   Anywhere on tun0          
53                         ALLOW OUT   Anywhere                  
Anywhere                   ALLOW OUT   192.168.0.0/24 on any     
Anywhere                   ALLOW OUT   127.0.0.1 on any          
1194                       ALLOW OUT   Anywhere                  
Anywhere (v6)              ALLOW OUT   Anywhere (v6) on tun0     
53 (v6)                    ALLOW OUT   Anywhere (v6)             
1194 (v6)                  ALLOW OUT   Anywhere (v6)

This would respect ufw rules after reboot sudo systemctl disable netfilter-persistent

Disabling IPV6 and prevent DNS leaks (Optional, in case VPN does not support IPV6)

In /etc/sysctl.conf add

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
#net.ipv6.conf.eth0.disable_ipv6 = 1

Then reboot.

Checking openvpn with killswitch

sudo systemctl stop openvpn then

$ifconfig -s
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
lo       65536    28160      0      0 0         28160      0      0      0 LRU
wlan0     1500   649289      0      0 0        561884      0      0      0 BMRU

or ping google # should fail

sudo systemctl start openvpn

$ ifconfig -s
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
lo       65536    28160      0      0 0         28160      0      0      0 LRU
tun0      1500    32412      0      0 0         50774      0      0      0 MOPRU
wlan0     1500   649289      0      0 0        561884      0      0      0 BMRU

ping google # should be ok

sudo systemctl restart openvpn

See https://christitus.com/vpn-kill-switch/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment