iptables rules that block non-VPN traffic

[siriusrh]

nice set of scripts, thanks !

it would be useful to have an option to setup iptables rules that guard traffic against non-VPN leakage. See https://github.com/sjakthol/vpngate-client/blob/master/vpngate-client , line 34 ff.

(i am still considering to use user_script.sh for this purpose, yet i see an issue with that too. That is, as i understand it, case "down" gets executed on both "VPN terminated" AND "VPN broken", so flushing iptables here is not what we want. We want it to be flushed on termination but exactly not in the event the VPN connection breaks.)

[Dragon2fly]

@siriusrh I'll integrate it into the next version

[evadogstar]

@siriusrh @Dragon2fly Do not break things, please! Not default setup please :)

I archive this with special user group that added to the system, then I run my own start script with sudo sg qvpn -c "python vpnproxy_cli.py $arg" and only vpngate-with-proxy can send traffic. Of course on system start up there are commands to DROP all incomind and outgoing connections eg. iptables -I FORWARD -o eth0 -j DROP and command to allow traffic only for qvpn group iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT