no killswitch during start and restart

jotyGill / openpyn-nordvpn

Easily connect to and switch between, OpenVPN servers hosted by NordVPN on Linux (+patch leakes)

GNU General Public License v3.0

628 stars 114 forks source link

no killswitch during start and restart #197

Open hermann2971 opened 6 years ago

hermann2971 commented 6 years ago

Thanks for this great tool. I just installed it and did some tests. The killswitch works when no vpn connection is established. But during start or restart there is no blocking and all traffic goes through standard connection. Is there any possibillity to solve this issue?

Thanks a lot!

jotyGill commented 6 years ago

Cheers. Well, when we are manually starting it with '-f' switch it needs to clear IPtables rules and apply new ones. But I see what you mean. When it is restarted or the connection completely dies and openpyn has to find a new server, Ideally traffic should be blocked during this time. The problem is, you can't talk to NordVPN's api or it's other servers without dropping the rules. So in the current situation either we can have the functionality of being able to switch to another server when connection dies (leaking traffic during transition) or not have the ability to auto fail-over to another server. I agree that traffic shouldn't be leaked unless at least the user manually restarts openpyn. I will rework the design to fix it.

hermann2971 commented 6 years ago

Hi, thank you for your reply. Maybe it is possible to choose if the firewall should be temporary or permanent. And if the firewall is permanent you could ping the url of nordvpn api to get the ip and then create an exception for iptables (maybe ip will not change often). For permanent iptables it would also be great that stop of the service will not flush the tables. At the moment I have to change the service file manually to change behavior - just kill connection but do nut flush.

Thanks a lot

ISO-morphism commented 6 years ago

@hermann2971

For permanent iptables it would also be great that stop of the service will not flush the tables.

I agree, and I opened an issue for it in #202. I think the ideas of using custom iptables chains, and iptables -I to insert rules at the beginning of chains will help in the auto fail-over design.

larry77 commented 5 years ago

Any progress on this? I see that nordvpn has released a linux app, but I would like to stick to this wonderful open source project!