search

vpn-kill-switch / killswitch

VPN kill switch for macOS
https://vpn-kill-switch.com
BSD 3-Clause "New" or "Revised" License
162 stars 15 forks source link

syntax error on the last rule to pass all to vpn #24

Closed mwmcode closed 3 years ago

mwmcode commented 3 years ago

Hello,

I'm following https://vpn-kill-switch.com/post/pf/ and when I try to load conf keep getting killswitch.pf.conf:31: syntax error the last line(31) is pass on $vpn_utun1 all (removing it solves the issue)

full output below:

$ sudo pfctl -Fa -f ~/killswitch.pf.conf -e
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

No ALTQ support in kernel
ALTQ related functions disabled
rules cleared
nat cleared
dummynet cleared
0 tables deleted.
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
killswitch.pf.conf:31: syntax error  👈👇
pfctl: Syntax error in config file: pf rules not loaded

I'm only changing the initial variables 

int_en1 = "en0"
vpn_utun1 = "ipsec0"
vpn_ip = "VPN_SERVER_ADDRESS"

macOS Big Sur 11.0.1

nbari commented 3 years ago

Hi @mcha-dev if you use the app:

killswitch -e

Returns the error ?

mwmcode commented 3 years ago

hi @nbari the app was working fine. I wanted to switch to doing it manually to have it run on system start.

nbari commented 3 years ago

Try to use the temp rules (/tmp/killswitch.pf.conf ) , after running killswitch -e, just keep in mind that you need first the VPN up

mwmcode commented 3 years ago

When I run killswitch -e the last rule in the output is this:

pass on ipsec0 all flags S/SA keep state

when I change the script to match that ☝️ rule, I keep getting the same syntax error!

nbari commented 3 years ago

after running killswitch -e what is the output of:

$ sudo pfctl -sr
mwmcode commented 3 years ago 
No ALTQ support in kernel
ALTQ related functions disabled
block drop all
block drop out quick inet6 all
pass inet proto udp from any to 224.0.0.0/4 keep state
pass inet proto udp from 224.0.0.0/4 to any keep state
pass inet from any to 255.255.255.255 flags S/SA keep state
pass inet from 255.255.255.255 to any flags S/SA keep state
pass on en0 proto udp from any port 67:68 to any port 67:68 keep state
pass on en0 inet proto tcp from any to [VPN_ADDRESS] flags S/SA keep state
pass on en0 inet proto udp from any to [VPN_ADDRESS] keep state
pass on en7 proto udp from any port 67:68 to any port 67:68 keep state
pass on en7 inet proto tcp from any to [VPN_ADDRESS] flags S/SA keep state
pass on en7 inet proto udp from any to [VPN_ADDRESS] keep state
pass on ipsec0 all flags S/SA keep state
mwmcode commented 3 years ago

I tried using the temp configs, no luck

nbari commented 3 years ago

killswitch -e is loading pass on ipsec0 all flags S/SA keep state

After your VPN is up and running this should be working:

sudo pfctl -Fa -f /tmp/killswitch.pf.conf
mwmcode commented 3 years ago

Thanks for your reply @nbari

But if it requires VPN to be established then will it still work on system boot up? (I ran into some other technical issues -- not related -- will try your last suggestion and update the ticket).

If you think this is not an issue with the script, should I close this? (feel free to close it yourself if you see fit)

nbari commented 3 years ago

The killswitch works as expected what you need/want is different:

You always need first the VPN to apply the killswitch not the other way around, I am closing this, for now, feel free to re-open it if requierd.