morpheusthewhite / nordpy

A gui application to connect automatically to the recommended NordVPN server
GNU General Public License v3.0
105 stars 16 forks source link

Whitelist SSH on LAN #37

Closed MountainX closed 4 years ago

MountainX commented 4 years ago

Describe the question Is it possible to allow other devices on the local area network to connect with SSH to the computer running NordPy while VPN is active?

Expected behavior I am hoping for a whitelist option for subnetwork and port to allow local SSH connections while the VPN is active

Desktop (please complete the following information):

Additional context The official NordVPN app for Linux is supposed to allow this feature, but it is currently not working correctly. I'm using the opportunity to find another app, and this looks like a good one.

morpheusthewhite commented 4 years ago

This should be easily feasible through an additional rule in the killswitch script

MountainX commented 4 years ago

This should be easily feasible through an additional rule in the killswitch script

I will be happy to do testing.

morpheusthewhite commented 4 years ago

Well actually it should work without changes. Did you try?

MountainX commented 4 years ago

Well actually it should work without changes. Did you try?

So, looking at ip-ks.sh again, I see these rules:

iptables -A INPUT --src $NETWORK_ADDRESS -j ACCEPT -i $INTERFACE iptables -A OUTPUT -d $NETWORK_ADDRESS -j ACCEPT -o $INTERFACE

In this case, is $NETWORK_ADDRESS the subnet of my LAN? If so, then I can see that it should work. If you confirm my guess, I will proceed to verify by testing.

EDIT: I found the relevant code and I also think it should work without any changes. I will go ahead and test it now.

EDIT 2: yes, SSH connections on the LAN work out of the box. No changes required. Looks like all LAN traffic is permitted. Thanks.

morpheusthewhite commented 4 years ago

So, looking at ip-ks.sh again, I see these rules:

iptables -A INPUT --src $NETWORK_ADDRESS -j ACCEPT -i $INTERFACE iptables -A OUTPUT -d $NETWORK_ADDRESS -j ACCEPT -o $INTERFACE

In this case, is $NETWORK_ADDRESS the subnet of my LAN? If so, then I can see that it should work. If you confirm my guess, I will proceed to verify by testing.

Exactly