Question - kill switch feature

[yuriw]

Would be great to have !

[jotyGill]

"-f" or "--force-fw-rules" is the kill switch. read the readme or "--help" mate. if you want to allow access to certain ports on your local network when using the option "-f", use "--allow 22 80". 20 80 for example could be the open ports you need to access from other local machines. BTW --allow only allows access to these ports from the devices on the local network, don't use it on a cloud server.

[yuriw]

@jotyGill That's cool got it.

Would it make any difference if my local ubutnu ufw is inactive ? (sudo ufw status Status: inactive)

[jotyGill]

Yeah it's all good, It's modifying the underlying iptables, you don't need to have any firewall rules. I suggest you test it by killing the openpyn with "openpyn -k", after the connection. you souldn't be able to connect to anything. if you do "openpyn -x" this puts normal iptable roles back to allow you to normally use internet.

[yuriw]

@jotyGill it feels like simplified version of this functionality would be welcomed by novice users, something like a new argument -kill-switch yes and then more advance option with ports etc. a?

[jotyGill]

Port arguments are optional, all you need to do is: openpyn uk -f I'll try to make that clear in the description.

[Njur]

Hi if I just use openpyn uk -f --allow 22 80 443 I can't browse or anything from my other clients. I have to use the following to get it working, but that is not the right way?

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT sudo apt-get install iptables-persistent sudo netfilter-persistent save sudo systemctl enable netfilter-persistent

[jotyGill]

You seem to be using this device as a router, currently "-f" option doesn't configure/allow routing. The commands shown here seem to facilitate that functionality.

[Njur]

Hi yeah I just want to use your great script, so it should be configured as an gateway, so other clients can connect throught it but still have killswitch functionality. Is that possible?

[losdmi]

@jotyGill

I suggest you test it by killing the openpyn with "openpyn -k", after the connection. you souldn't be able to connect to anything

Tried this and it didn't work.

1. opepyn is running as a daemon
2. openpyn -k
3. openpyn.service is down
4. still can load websites

What have i done wrong?

Linux Mint 18.2, kernel 4.13.0-39-generic

[jotyGill]

This kill switch only applies when using "-f" So if you are using systemd service update it to include "-f" for example openpyn uk -f -d

[losdmi]

@jotyGill Daemon is running with -f key (--force-fw-rules)

[jotyGill]

I see, So are you killing it with openpyn -k ? if you do systemctl stop openpyn or openpyn -x that resets the IPtable rules, putting the regular config back in. (you should be able to browse) but if iptable rules are being applied properly, after a connection openpyn -k should stop the connectivity.

Check IPTable rules after the connection. sudo iptables -L -v -n

[jotyGill]

Yeah, it's a bug. the rules aren't being applied consistently, it worked sometimes and sometimes didn't.

[losdmi]

Would you fix this? If yes then when?

[jotyGill]

Yes, I will re implement the kill switch functionality, can't say exactly when. hopefully within a week.

[Njur]

Can you also implement port forwarding, since that is the most important thing missing on NordVPN.

[LastStarDust]

First of all, I want to thank the developer for providing us with this awesome piece of software! Anyway, I am experiencing some unexpected behaviour when I try to start the openpyn deamon with the -f option:

• If I kill openpyn with the -k option the internet connection is not cut at all.
• The device running openpyn is not reachable from any other devices on the same subnet but only from the internet

I know that a fix is under development, but since I need this feature very much, could you please inform me by commenting to this thread when the needed patch is uploaded to the master branch? ... so that I can compile the fixed code by myself and enjoy the fixed feature even before an official release. Thank you Jojo

[xChr11s]

Kill-switch istn't re-implemented right now or ? Otherwise it is not working for me :/

[jotyGill]

yes I did. It seems to work ok for me. what version of openpyn and what OS are you using? after running openpyn with '-f' kill the connection using openpyn -k you shouln't be able to talk to the internet without openpyn -x or by running it again with -f. You can check iptable rules after using '-f'. sudo iptables -L -v -n

[losdmi]

yes I did. It seems to work ok for me. what version of openpyn and what OS are you using? after running openpyn with '-f' kill the connection using openpyn -k you shouln't be able to talk to the internet without openpyn -x or by running it again with -f. You can check iptable rules after using '-f'. sudo iptables -L -v -n

It still not working for me on version 2.7.5

1. opepyn is running as a daemon with -f option
2. openpyn -k
3. openpyn.service is down
4. still can load websites

Maybe it is because of ExecStop=/usr/local/bin/openpyn --kill-flush in openpyn.service config? Does it really must be --kill-flush and not just --kill?

[xChr11s]

yes I did. It seems to work ok for me. what version of openpyn and what OS are you using? after running openpyn with '-f' kill the connection using openpyn -k you shouln't be able to talk to the internet without openpyn -x or by running it again with -f. You can check iptable rules after using '-f'. sudo iptables -L -v -n

Hey, sorry for my late answer, didn't got the time earlier. Did you change something in 2.7.5 which is related to kill-switch? I Updated to 2.7.5 and followed your instructions. Kill-Switch seems to work now for me 👍