vpnfailsafe
prevents a VPN user's ISP-assigned IP address from being exposed
on the internet, both while the VPN connection is active and when it goes down.
vpnfailsafe
doesn't affect traffic to/from private networks, or disrupt existing
firewall rules beyond its intended function.
vpnfailsafe
ensures that all traffic to/from the internet goes through the VPN.
It is meant to be executed by OpenVPN when the tunnel is established (--up), or
torn down (--down).
On --up:
On --down:
Save vpnfailsafe.sh in /etc/openvpn, make it executable and add the following lines to /etc/openvpn/\<your_provider>.conf:
script-security 2
up /etc/openvpn/vpnfailsafe.sh
down /etc/openvpn/vpnfailsafe.sh
That's it.
Since vpnfailsafe
contains the functionality of the popular
update-resolv-conf.sh script, the two don't need to be combined.
A complete configuration example is included as extras/example.conf.
Arch Linux users may choose to install the vpnfailsafe-git package from AUR instead.
vpnfailsafe
works only on Linux.
Dependencies are minimal (listed in the PKGBUILD file). Of note is
the openresolv requirement. There are at least two different, popular packages
providing the resolvconf binary, which are not compatible (one supports the
-x
switch used by vpnfailsafe
and the other does not). On distributions
where multiple implementations are available, openresolv should be chosen.
The only assumption is that the VPN server will push at least one DNS server to the client.
vpnfailsafe
does not handle ipv6 at
all. To prevent leaks, ipv6 should be disabled and/or blocked. See:
extras/disable_ipv6.conf for an example of a sysctl
config file that disables it and extras/block_ipv6.sh
for firewall rules to block it.
vpnfailsafe
has been tested with all device types and topologies supported by
OpenVPN.
This usually means that OpenVPN was executed without sufficient privileges. But if the line is followed by "Linux ip -6 addr add failed: external program exited with error status: 2", then it probably means, that ipv6 is disabled on the system, but the VPN server is pushing ipv6-related options and the client fails trying to run `ip -6' to honor them. The following two options can be added to the client config to make it ignore the ipv6-related configuration:
pull-filter ignore "ifconfig-ipv6 "
pull-filter ignore "route-ipv6 "
(included in extras/example.conf)
Those errors can be ignored safely. They appear when OpenVPN tries to set up a
route, that's already been created by vpnfailsafe
. Adding the route-noexec
option will tell OpenVPN to leave routing to vpnfailsafe
and prevent those
errors from appearing.
Send the HUP signal to OpenVPN upon reconnection.
Dhcpcd users would use dhcpcd-run-hooks, NetworkManager users would use a dispatcher script (e.g.: extras/pkill_hup_openvpn).
vpnfailsafe
will revert all changes when the tunnel is closed, except for the
firewall rules. You can restore those using the init script that set the
iptables rules on boot, or by using iptables-restore, or by otherwise removing
the VPNFAILSAFE_INPUT, VPNFAILSAFE_OUTPUT and VPNFAILSAFE_FORWARD chains.
The /etc/hosts entries may eventually become stale and also require removal.
The extras/vpnfailsafe_reset.sh script can be used to achieve that.
Yes. See "How does it work ?" for more details.
That being said, if your life, job, or whatever you care about depend on your IP not leaking, consider that this script has been tested by only a handful of people. YMMV.
No. Application level leaks can still happen, via protocols like WebRTC. The user can also announce their identity to the world and no script will stop them.
Yes. vpnfailsafe
limits what kind of traffic is allowed, but only to achieve
its goals. Otherwise everything is passed through to pre-existing firewall
rules.
An example of a basic firewall is included as extras/basic_firewall.sh.
One would think so, but then one would be wrong.
What is out there are mostly "applications", with non-optional GUIs and thousands of lines of code behind them, often VPN-provider specific.
As far, as OpenVPN goes - you can check the hardening section of the official documentation.
The steps necessary to run OpenVPN as an unprivileged user can be run automatically via the openvpn-unroot script.