[Feature request] Add "VPN Kill Switch" option that automatically do the job if enabled by user

[Nokia808]

Hi.

If your application will have in feature a "VPN Kill Switch" option that configure itself AUTOMATICALLY if enabled, then it will be very worthy to try your application ..... Currently we need to add custom script & add an option in VPN configuration file to run this script (something need expert user: it took from me weeks to learn how to do it perfectly ......

It will be very helpful if this application will have a built-in "VPN Kill Switch" option that when enabled by user, it will re-configure the VPN configuration file(s) AUTOMATICALLY to enable this very wanted feature without need of user to write a script by her/his hand .....

This feature should be available in flatpak version also .......

Best regards.

[Nokia808]

@jkotra Hello again. Since years I copied & saved an command line approached for doing this. I will past some of them bellow, hopping could help you regarding this request:

1) from Mullvad VPN https://mullvad.net/en site:

This will assume your network interfaces are on eth* and that you want to connect to our Swedish or Dutch servers and your DNS is set to use our public one. Add or replace the IP ranges or IP addresses to the servers you wish to use. 193.138.219.228 is for our public DNS.

sudo iptables -P OUTPUT DROP
sudo iptables -A OUTPUT -o tun+ -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
sudo iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT
sudo iptables -A INPUT -s 255.255.255.255 -j ACCEPT
sudo iptables -A OUTPUT -o eth+ -p udp -m multiport --dports 53,1300:1302,1194:1197 -d 185.213.152.0/24,185.65.134.0/24,185.65.135.0/24,193.138.219.0/24,193.138.218.0/24,185.213.154.0/24 -j ACCEPT
sudo iptables -A OUTPUT -o eth+ -p tcp -m multiport --dports 53,443 -d 185.213.152.0/24,185.213.154.0/24,193.138.218.0/24,185.65.134.0/24,185.65.135.0/24,193.138.218.0/24 -j ACCEPT
sudo iptables -A OUTPUT -o eth+ ! -d 193.138.219.228 -p tcp --dport 53 -j DROP
sudo ip6tables -P OUTPUT DROP
sudo ip6tables -A OUTPUT -o tun+ -j ACCEPT

Kindly, omit the line about DNS, because there is a tool for that "DNSCrypt" with it's GUI already available to achieve this function.

2) the following is a copy/past from a forum since many years, & I did not save it's URL source. Also, I'm not sure if it is really working. You need to examine it because it may be leaking the real IP & does not working ...... I did not try it at all.

Generic kill switch script for OpenVPN Linux clients to prevent IP and DNS leaks I'd seen some other scripts specific to VPN providers on this subreddit that required downloading lists of resolved VPN server URL IPs or hardcoding your server's IP (assuming you had a static IP for it), so I wanted to make a script that can quickly block all IP traffic to addresses outside the tunnel by determining the tunnel server's IP at runtime. This script instead automatically determines the IP address of the remote VPN server through a call to ip route show. All you have to do is run up.sh after connecting to a VPN and down.sh when you disconnect or if your connection has been lost. Edit: allow loopback interface and private local addresses, and restrict traffic to/from the VPN server to datagram traffic on the OpenVPN port (1194). up.sh:

#!/bin/bash

# Check that OpenVPN is actually running.
running=$(ps -e | grep openvpn)
if [ $? -eq 1 ]; then
    echo "No active VPN session found."
    exit 1
fi

# Determine the server IP address after DNS resolution.
vpn_server_ip_address=$(ip route show | tail -1 | cut -d ' ' -f 1)

# Configure and apply the iptables policy.
iptables -F
iptables -A INPUT -i lo -j ACCEPT # Loopback.
iptables -A OUTPUT -o lo -j ACCEPT # Loopback.
iptables -A INPUT -s 10.0.0.0/16 -d 10.0.0.0/16 -j ACCEPT # Private local addresses.
iptables -A OUTPUT -s 10.0.0.0/16 -d 10.0.0.0/16 -j ACCEPT # Private local addresses.
iptables -A INPUT -i tun+ -j ACCEPT # Incoming tunnel traffic.
iptables -A OUTPUT -o tun+ -j ACCEPT # Outgoing tunnel traffic.
iptables -A INPUT -p udp --sport 1194 -s $vpn_server_ip_address -j ACCEPT # Incoming VPN server traffic.
iptables -A OUTPUT -p udp --dport 1194 -d $vpn_server_ip_address -j ACCEPT # Outgoing VPN server traffic.
iptables -A INPUT -j DROP # Block all other incoming packets.
iptables -A OUTPUT -j DROP # Block all other outgoing packets.
echo "Now only allowing traffic through the VPN server at $vpn_server_ip_address."

# Exit successfully.
exit 0

down.sh:

#!/bin/bash

# Remove the iptables policy.
iptables -F
iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -j ACCEPT

# Exit successfully.
exit 0

[Nokia808]

@jkotra In all cases there is very important point: the "VPN Kill Switch option" if added in future: when user "exit" eOVPN, then "VPN Kill Switch" should be de-activated (if user already activated it) & reverted completely to the NON-VPN Kill Switch state which was existing before activating "VPN Kill Switch".

[Nokia808]

I forgot the following script:

https://github.com/adrelanos/VPN-Firewall

[Nokia808]

Hi again ! I found the original source of the "generic script" that I'm already mentioned in my comment https://github.com/jkotra/eOVPN/issues/2#issuecomment-784124342 (under point 2). The original post contain a discussion which deal with the script more deeply. It seem that this "generic script" is exactly what we need ! Kindly see the following link (with all discussion's comments within it): https://www.reddit.com/r/VPN/comments/43djk3/generic_kill_switch_script_for_openvpn_linux/

I wish that it could be included & applied from within flatpak package. Really if it is working & could be included in your application as option, then your application will solve a big problem for Linux users, by making things more easy & more convenient !

Best regards.

[ghost]

@jkotra Is this going to be implemented? A kill switch option like Eddie has would be a must-have.

And thanks for making this app. For whatever reason, eddie stopped to work with my VPN and eOVPN works fine.