search

walterl / proton-privoxy

Privoxy over ProtonVPN in Docker
MIT License
106 stars 23 forks source link

Maybe use iptables to implement kill switch option? #5

Open LouKordos opened 3 years ago

LouKordos commented 3 years ago

Since somehow the kill switch was not working for me inside the docker container, I looked at the protonvpn-cli source code and saw they are using plain iptables as well. So I modified the entrypoint to block everything except to LAN and the proton0 device.

Keep in mind I have hardcoded my container subnet to 172.26.0.0/16 in my docker-compose.yml for this to work, but it should be very doable to fix this. I'm just providing this is a proof of concept, please let me know if I missed anything in the rules, from my understanding, this should block all traffic outside LAN on the main adapter and only allow that traffic through proton0.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i proton0 -j ACCEPT
iptables -A INPUT -i proton0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 1194 -j ACCEPT
iptables -A INPUT -s 172.26.0.0/16 -i eth0 -j ACCEPT
iptables -A INPUT -s 10.8.0.0/16 -i eth0 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o proton0 -j ACCEPT
iptables -A OUTPUT -o proton0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
iptables -A OUTPUT -d 172.26.0.0/16 -o eth0 -j ACCEPT
iptables -A OUTPUT -d 10.8.0.0/16 -o eth0 -j ACCEPT

Since VPN users often do want their traffic to only go through the VPN tunnel, I imagine an environment variable might that triggers this might be useful maybe? I currently just have the above rules in the entrypoint script.

walterl commented 3 years ago

I'll have to go through this carefully to make sure it does what we expect. E.g. at a quick glace it seems odd to ACCEPT all traffic on an interface (line 5), and then accept established connections (line 6).

Looking at the ProtonVPN CLI source, I noticed that the kill switch can't be used together with split tunneling. I'm not sure what that is or what role it plays, so I have some research to do in this regard.

Still, thanks for bringing this to my attention. We definitely don't want the container to use any connection other than the VPN. I'm inclined to have this enabled by default.

LouKordos commented 3 years ago

Very nice, I appreciate you looking into it, since I'm not experienced with iptables at all!

BeatRoy commented 2 years ago

@walterl So if I understand correctly the container has already a kill switch build in

matt-laird commented 1 year ago

Yo @walterl any chance this will be implemented?

walterl commented 1 year ago

@matt-laird It's not on my radar, unfortunately.