proton-privoxy icon indicating copy to clipboard operation
proton-privoxy copied to clipboard

Published 20 hours ago verified publisher icon walterl

Maybe use iptables to implement kill switch option?

Open LouKordos opened this issue 3 years ago • 5 comments

Since somehow the kill switch was not working for me inside the docker container, I looked at the protonvpn-cli source code and saw they are using plain iptables as well. So I modified the entrypoint to block everything except to LAN and the proton0 device.

Keep in mind I have hardcoded my container subnet to 172.26.0.0/16 in my docker-compose.yml for this to work, but it should be very doable to fix this. I'm just providing this is a proof of concept, please let me know if I missed anything in the rules, from my understanding, this should block all traffic outside LAN on the main adapter and only allow that traffic through proton0.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i proton0 -j ACCEPT
iptables -A INPUT -i proton0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 1194 -j ACCEPT
iptables -A INPUT -s 172.26.0.0/16 -i eth0 -j ACCEPT
iptables -A INPUT -s 10.8.0.0/16 -i eth0 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o proton0 -j ACCEPT
iptables -A OUTPUT -o proton0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
iptables -A OUTPUT -d 172.26.0.0/16 -o eth0 -j ACCEPT
iptables -A OUTPUT -d 10.8.0.0/16 -o eth0 -j ACCEPT

Since VPN users often do want their traffic to only go through the VPN tunnel, I imagine an environment variable might that triggers this might be useful maybe? I currently just have the above rules in the entrypoint script.

LouKordos avatar Jun 20 '21 09:06 LouKordos

I'll have to go through this carefully to make sure it does what we expect. E.g. at a quick glace it seems odd to ACCEPT all traffic on an interface (line 5), and then accept established connections (line 6).

Looking at the ProtonVPN CLI source, I noticed that the kill switch can't be used together with split tunneling. I'm not sure what that is or what role it plays, so I have some research to do in this regard.

Still, thanks for bringing this to my attention. We definitely don't want the container to use any connection other than the VPN. I'm inclined to have this enabled by default.

walterl avatar Aug 29 '21 22:08 walterl

Very nice, I appreciate you looking into it, since I'm not experienced with iptables at all!

LouKordos avatar Aug 30 '21 08:08 LouKordos

@walterl So if I understand correctly the container has already a kill switch build in

BeatRoy avatar Nov 29 '21 21:11 BeatRoy

Yo @walterl any chance this will be implemented?

matt-laird avatar May 02 '23 14:05 matt-laird

@matt-laird It's not on my radar, unfortunately.

walterl avatar May 07 '23 22:05 walterl