Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
GNU/Linux UFW VPN kill switch tutorial

GNU/Linux UFW VPN kill switch tutorial

This is a quick guide for setting up a kill switch using UFW (Uncomplicated FireWall). It is assumed you are using OpenVPN and optionally Network-Manager with network-manager-openvpn.

1. (Optional) IP Addresses

Before we can start we're going to need the IP address (or the IP addresses) of your VPN so that we can whitelist those later on, write them down. They are obviously going to be different for every VPN and VPNs with multiple servers, so I'll leave this up to you.

2. Install UFW

On some systems UFW is installed and enabled by default (Ubuntu, for example). Installation procedure is going to be different for every distribution of GNU/Linux, but it's usually something like

sudo {package-manager} {install-command} ufw

3. (Optional) Add remote protocols

In step 4 we are going to enable the firewall, but if you're remotely connected to the machine, this might kick you out of it. In order to ensure we're not kicked out we have to add the protocol rules before we enable UFW.

SSH:

sudo ufw allow 22/tcp

VNC:

sudo ufw allow 5901:5910/tcp

4. Enable UFW

sudo ufw enable

5. Block All Traffic

Block all outgoing traffic:

sudo ufw default deny outgoing

And also block all incoming traffic:

sudo ufw default deny incoming

6. Make an exception for OpenVPN

It is assumed you are using TUN as a network adapter (if you're unsure you most definitely are). Allow outgoing traffic on tun0:

sudo ufw allow out on tun0 from any to any

And optionally allow incoming traffic on tun0 (if you're a seeder, for example):

sudo ufw allow in on tun0 from any to any

Choose 7.A. or 7.B. depending on your VPN situation

7.A. (Optional) Make an exception for your VPN with a static address or range

At this point you're technically done, but with this setup you would need to disable UFW every time OpenVPN needed to connect to your VPN and then re-enable UFW when it has connected. Instead of doing that you could add the IP addresses mentioned earlier as exceptions to UFW.

To add a single IP:

sudo ufw allow out from any to 123.123.123.123

To add a range, use a mask:

sudo ufw allow out from any to 123.123.123.0/24

Go to step 8.

7.B.1 (Optional) Make another exception for OpenVPN

If you didn't follow 7.A, and your VPN service changes/rotates IP addresses you will at least need to allow OpenVPN to somehow communicate to the outside:

sudo ufw allow out 1198/udp
sudo ufw allow in 1198/udp

Here, 1198 is the port number that OpenVPN uses, but be careful as default is actually 1194, you might have to check your VPN configuration files (the line that begins with remote {server} {port} ... or a line with rport {port}) for the actual port number used. Might also need to add the same rules for tcp.

This will allow you to at least disable ufw, connect to your VPN, and then enable ufw again to turn the kill switch back on. You will, however, have to do this every time you want to connect or if you're disconnected, which isn't entirely desirable.

7.B.2 (Optional) Force OpenVPN to use a specific port when authenticating to allow reconnecting

By default, OpenVPN will use a random port when connecting to the VPN. Replace the nobind option from your VPN configuration files with bind to force OpenVPN to use the desired port (1194 by default), and add the desired port (for example port 1198). But beware; this won't work on a system with multiple VPN clients on the same host, e.g. it will only work if you connect to one VPN at a time (unless you specifically bind different ports for different VPNs, of course, but you need to be aware of this).

Example; replace nobind in a /etc/openvpn/client/{name}.conf with:

local 0.0.0.0
lport 1198
bind

The local option is required (trivia: because "the C API" - bind() always takes an address and a port number, so you can't just bind to an address alone.)

There's a high possibility openvpn will try to resolve a host address, in that case add a rule for DNS:

sudo ufw allow out 53
sudo ufw allow in 53

8. Make sure UFW starts on boot

Systems with systemd can use

sudo systemctl enable ufw

9. Reboot and check that it's working

sudo ufw status

And test your internet connection!

10. You're done!

Congratulations, you've configured a VPN Kill switch on your GNU/Linux system!

Appendix

Help! I screwed up!

Disable ufw (also remember disable on boot, if you used systemd)

sudo ufw disable

Clear all rules:

sudo ufw reset

Thanks to:

@marathone

This comment has been minimized.

Copy link

@marathone marathone commented Oct 9, 2018

Thanks for this! The above won't work for me unless I enable outgoing as default. Following your instructions to the 'T' didn't seem to work for me. My rules:
To Action From


Anywhere on tun0 ALLOW Anywhere
Anywhere (v6) on tun0 ALLOW Anywhere (v6)
Anywhere ALLOW OUT Anywhere on tun0
198.144.157.54 ALLOW OUT Anywhere
199.189.26.122 ALLOW OUT Anywhere
159.203.4.110 ALLOW OUT Anywhere
184.75.223.90 ALLOW OUT Anywhere
Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0

@formeroosid

This comment has been minimized.

Copy link

@formeroosid formeroosid commented Feb 4, 2019

You probably need to allow your VPN connections to the outside world. The IP address solution above won't work if your VPN endpoint changes addresses. I would recommend just allowing the ports.

For OpenVPN, you would need the following:
sudo ufw allow out 1198/udp
sudo ufw allow in 1198/udp

@hrvstr

This comment has been minimized.

Copy link

@hrvstr hrvstr commented Feb 26, 2019

Step 5 does not seem to work for me. I have to disable the firewall to reconnect to my VPN.

You probably need to allow your VPN connections to the outside world. The IP address solution above won't work if your VPN endpoint changes addresses. I would recommend just allowing the ports.

For OpenVPN, you would need the following:
sudo ufw allow out 1198/udp
sudo ufw allow in 1198/udp

Also tried this without any luck.

@Necklaces

This comment has been minimized.

Copy link
Owner Author

@Necklaces Necklaces commented Mar 20, 2019

Hey guys, sorry I didn't see this until now, not getting notifications for gists apparently. I've updated the gist a bit, thanks for your input!

@nodecentral

This comment has been minimized.

Copy link

@nodecentral nodecentral commented Feb 21, 2020

Hi, I have my vpn running as a VM on my NAS , and I don’t want to break any controls/connections the NAS might need, plus I’d still like to be able to access it locally via ssh.

Being relatively new to Linux (Debian 10 specifically) how best can I see all the ports that are currently in use today ? That way I can have a list to add ones back in when/if needed ?

Also if I am connecting to the virtual machine over VNC, am I correct in saying if I do step 3 I will lose all connectivity ? If so, Is there a way to do this without losing connectivity ?

@Necklaces

This comment has been minimized.

Copy link
Owner Author

@Necklaces Necklaces commented Feb 24, 2020

@nodecentral

how best can I see all the ports that are currently in use today?

I recommend using nmap to scan for ports in use:

sudo nmap -sTU localhost

If you're scanning from another machine you need to switch localhost with the address of the machine.

There are other ways, too. On older machines netstat and newer machines ss, but the outputs of those commands are not very beginner friendly, IMO. Nmap will give you a nice simple output:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-24 08:27 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00015s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 1337 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
666/udp  open  satand

Then just add the ports/protocol using ufw, for example

sudo ufw allow 666/udp

I am connecting to the virtual machine over VNC, am I correct in saying if I do step 3 I will lose all connectivity ?

I believe that is true, yes. In order to go around it without losing connectivity, simply insert a step 2.5 that allows remote traffic with the protocols you're using, before you block everything else.

For SSH:

sudo ufw allow 22/tcp

For VNC (it seems VNC uses many different ports, you might have to enable more than just these):

sudo ufw allow 5901:5910/tcp

You should probably also read about VNC security, as it doesn't really have a good rep.

@nodecentral

This comment has been minimized.

Copy link

@nodecentral nodecentral commented Feb 24, 2020

Many thanks @Necklaces

A few more quick things

  1. Rather than specify individual ports ? If I trust my LAN, would it be best to add that subnet to the firewall rule ? (Would that all local IPs/Ports then ?)

  2. Can I specify my individual ufw rules first - before doing step 5 the deny/blocks all ? If the permit rules are added first in sequence, would they be preserved ?

  3. Regarding 7A, It looks like I only have domain names - not an IP address - for my VPN provider. How best can I add or facilitate that within a rule ? (I tried adding the url directly- but ufw didn’t like it/returned an error)

** sorry for all the questions - it’s just that the machine I’m looking to apply these rules to is at a remote site ; so I wouldn’t want to risk losing connectivity. **

@Necklaces

This comment has been minimized.

Copy link
Owner Author

@Necklaces Necklaces commented Feb 24, 2020

No problem, @nodecentral, these are interesting questions. Do note I am not really an expert.

  1. Sure, if you trust your LAN then go ahead and add the subnet: sudo ufw allow from 10.0.2.0/24 This should indeed allow incoming traffic to all ports from the LAN (worked sshing into a VM that only had deny all and the aforementioned allow from LAN, at least).

  2. Yep, go right ahead. All rules are preserved as they are added, you can check as you go with sudo ufw show added.

  3. It might be better to see if you need to go for 7B, but if you expect to always get the same IP from that domain you can just add it using the IP you get from pinging it: ping www.google.com (leave out the http / https part). Otherwise, it unfortunately seems to be impossible to use a url

@plasmah77

This comment has been minimized.

Copy link

@plasmah77 plasmah77 commented Aug 27, 2020

Thanks much for this tut! Pretty easy to follow and works perfect. Cheers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment