manual-connections
manual-connections copied to clipboard
Published
20 hours ago •
pia-foss
pia-foss
Feature Request: Kill Switch?
This is a feature request -- it'd be really neat to have the ability to enforce a kill switch when setting up PIA, regardless of whether you're using the Wireguard or OpenVPN options.
Same - I tried today, setting up a killswitch with iptables rules... it was frustrating, but I know thats my fault. I looked in ca_vancouver.opvn, the remote line, and tried to come up with two sets of rules... both failed to operate as a good killswitch:
Rules 1:
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow local loopback device
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Allow local network
-A INPUT -s 10.0.0.0/24 -j ACCEPT
-A OUTPUT -d 10.0.0.0/24 -j ACCEPT
# Allow established and related incoming traffic
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow all traffic out on the VPN (tun+) interface
-A INPUT -i tun+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
# Allow VPN connection establishment
-A OUTPUT -d 209.222.18.222/32 -j ACCEPT
-A OUTPUT -d 209.222.18.218/32 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1197 -j ACCEPT
# Reject all other outgoing traffic
-A OUTPUT -j REJECT --reject-with icmp-net-unreachable
COMMIT
Rules 2:
# Switch to root (if not already)
sudo su
# Flush all existing rules
iptables -F
# Set default policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow local loopback device
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow local network
iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
iptables -A OUTPUT -d 10.0.0.0/24 -j ACCEPT
# Allow established and related incoming traffic
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow all traffic out on the VPN (tun+) interface
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
# Allow VPN connection establishment
iptables -A OUTPUT -d 162.216.47.162/32 -j ACCEPT
iptables -A OUTPUT -d 181.41.202.171/32 -j ACCEPT
iptables -A OUTPUT -d 181.41.202.188/32 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 1198 -j ACCEPT
# Reject all other outgoing traffic
iptables -A OUTPUT -j REJECT --reject-with icmp-net-unreachable
# Verify the rules
iptables -L -v -n
# To save the rules after testing (if everything works)
iptables-save > /etc/iptables/iptables.rules
systemctl enable iptables
I know I posted two different formats - at any rate, can anyone help me find my issue?
