Giter Club home page Giter Club logo

vpnfailsafe's Introduction

What is vpnfailsafe ?

vpnfailsafe prevents a VPN user's ISP-assigned IP address from being exposed on the internet, both while the VPN connection is active and when it goes down.

vpnfailsafe doesn't affect traffic to/from private networks, or disrupt existing firewall rules beyond its intended function.

How does it work ?

vpnfailsafe ensures that all traffic to/from the internet goes through the VPN. It is meant to be executed by OpenVPN when the tunnel is established (--up), or torn down (--down).

On --up:

  • All configured VPN server domains are resolved and saved in /etc/hosts.
  • Routes are set up, so that all traffic to the internet goes over the tunnel and networks exposed by the VPN provider are accessible.
  • /etc/resolv.conf is updated, so only the DNS servers pushed by the VPN server are used.
  • iptables rules are inserted at the beginning of INPUT, OUTPUT and FORWARD chains to ensure that the only traffic to/from the internet is between the VPN client and the VPN server.

On --down:

  • The /etc/hosts entries for VPN servers remain in place, so the VPN connection can be re-established without allowing traffic to DNS servers outside the VPN.
  • Previously added routes are removed.
  • Previous /etc/resolv.conf is restored.
  • Firewall rules remain in place, allowing only the re-establishment of the vpn tunnel.

How do I install/use it ?

Save vpnfailsafe.sh in /etc/openvpn, make it executable and add the following lines to /etc/openvpn/<your_provider>.conf:

script-security 2
up /etc/openvpn/vpnfailsafe.sh
down /etc/openvpn/vpnfailsafe.sh

That's it.

Since vpnfailsafe contains the functionality of the popular update-resolv-conf.sh script, the two don't need to be combined.

A complete configuration example is included as extras/example.conf.

Arch Linux users may choose to install the vpnfailsafe-git package from AUR instead.

What are the requirements/assumptions/limitations ?

vpnfailsafe works only on Linux.

Dependencies are minimal (listed in the PKGBUILD file). Of note is the openresolv requirement. There are at least two different, popular packages providing the resolvconf binary, which are not compatible (one supports the -x switch used by vpnfailsafe and the other does not). On distributions where multiple implementations are available, openresolv should be chosen.

The only assumption is that the VPN server will push at least one DNS server to the client.

vpnfailsafe does not handle ipv6 at all. To prevent leaks, ipv6 should be disabled and/or blocked. See: extras/disable_ipv6.conf for an example of a sysctl config file that disables it and extras/block_ipv6.sh for firewall rules to block it.

vpnfailsafe has been tested with all device types and topologies supported by OpenVPN.

I'm getting an "RTNETLINK answers: Permission denied" error.

This usually means that OpenVPN was executed without sufficient privileges. But if the line is followed by "Linux ip -6 addr add failed: external program exited with error status: 2", then it probably means, that ipv6 is disabled on the system, but the VPN server is pushing ipv6-related options and the client fails trying to run `ip -6' to honor them. The following two options can be added to the client config to make it ignore the ipv6-related configuration:

pull-filter ignore "ifconfig-ipv6 "
pull-filter ignore "route-ipv6 "

(included in extras/example.conf)

I'm getting an "RTNETLINK answers: File exists" error every time I connect.

Those errors can be ignored safely. They appear when OpenVPN tries to set up a route, that's already been created by vpnfailsafe. Adding the route-noexec option will tell OpenVPN to leave routing to vpnfailsafe and prevent those errors from appearing.

How do I make OpenVPN reconnect when the underlying network connection is re-established ?

Send the HUP signal to OpenVPN upon reconnection.

Dhcpcd users would use dhcpcd-run-hooks, NetworkManager users would use a dispatcher script (e.g.: extras/pkill_hup_openvpn).

How do I restore my system to the state from before running vpnfailsafe ?

vpnfailsafe will revert all changes when the tunnel is closed, except for the firewall rules. You can restore those using the init script that set the iptables rules on boot, or by using iptables-restore, or by otherwise removing the VPNFAILSAFE_INPUT, VPNFAILSAFE_OUTPUT and VPNFAILSAFE_FORWARD chains.

The /etc/hosts entries may eventually become stale and also require removal.

The extras/vpnfailsafe_reset.sh script can be used to achieve that.

Will vpnfailsafe protect me against DNS leaks ?

Yes. See "How does it work ?" for more details.

That being said, if your life, job, or whatever you care about depend on your IP not leaking, consider that this script has been tested by only a handful of people. YMMV.

Will vpnfailsafe protect me against all forms of IP leaks ?

No. Application level leaks can still happen, via protocols like WebRTC. The user can also announce their identity to the world and no script will stop them.

Do I still need to configure a firewall ?

Yes. vpnfailsafe limits what kind of traffic is allowed, but only to achieve its goals. Otherwise everything is passed through to pre-existing firewall rules.

An example of a basic firewall is included as extras/basic_firewall.sh.

Aren't there already scripts that do all that ?

One would think so, but then one would be wrong.

What is out there are mostly "applications", with non-optional GUIs and thousands of lines of code behind them, often VPN-provider specific.

What else can I do to improve my security/privacy ?

As far, as OpenVPN goes - you can check the hardening section of the official documentation.

The steps necessary to run OpenVPN as an unprivileged user can be run automatically via the openvpn-unroot script.

vpnfailsafe's People

Contributors

wknapik avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

jasonsperry c0ndu17 madji david-gudeman iaindouglas whosscruffylookin95 ro9ueadmin scr3w-2ooth muhammad-z intika-linux-firewall veloute corujaobr mag1c64 blackblaze howels x0-shd symeonmattes dakota628

vpnfailsafe's Issues

Server not pingable

Setup

Own openvpn server and one openvpn client.

Issue

Using openvpn without vpnfailsafe, the vpn server is pingable. Everything is OK.
Using openvpn with vpnfailsafe, the vpn server is not pingable. Neither over VPN IP, nor by public IP or domain.

Do you have an idea, why?

Further information

These are my configs
client.conf.txt
server.conf.txt
ipp.txt

example.com: servers public domain
x.x.x.x: servers public IP
10.9.8.1: servers internal vpn ip (tun-device)

After establishing the vpn connection with vpnfailsafe, i get the following outputs on the client.

$ ping x.x.x.x
PING x.x.x.x (x.x.x.x) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
^C
--- x.x.x.x ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1013ms
$ ping example.com
PING example.com (x.x.x.x) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
^C
--- example.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1024ms
$ ping 10.9.8.1
PING 10.9.8.1 (10.9.8.1) 56(84) bytes of data.
^C
--- 10.9.8.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3027ms
$ ip a
[...]
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
   link/none 
    inet 10.9.8.6 peer 10.9.8.5/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::db4a:cc4:d4dc:ebe7/64 scope link flags 800 
       valid_lft forever preferred_lft forever
$ ip route
0.0.0.0/1 via 10.9.8.5 dev tun0 
default via 192.168.0.1 dev eth0 proto static metric 600 
10.9.8.0/24 via 10.9.8.5 dev tun0 
10.9.8.5 dev tun0 proto kernel scope link src 10.9.8.6
128.0.0.0/1 via 10.9.8.5 dev tun0
x.x.x.x via 192.168.0.1 dev eth0 
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.28 metric 600 
$ iptables -nvL
Chain INPUT (policy ACCEPT 8897 packets, 1667K bytes)
 pkts bytes target     prot opt in     out     source               destination         
10874 2699K VPNFAILSAFE_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 VPNFAILSAFE_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 9085 packets, 1010K bytes)
 pkts bytes target     prot opt in     out     source               destination         
11886 1830K VPNFAILSAFE_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0  

Chain VPNFAILSAFE_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      !tun0   0.0.0.0/0            127.0.0.0/8         
    0     0 RETURN     all  --  *      !tun0   0.0.0.0/0            10.0.0.0/8          
    0     0 RETURN     all  --  *      !tun0   0.0.0.0/0            172.16.0.0/12       
    0     0 RETURN     all  --  *      !tun0   0.0.0.0/0            192.168.0.0/16      
    0     0 RETURN     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain VPNFAILSAFE_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   70 18238 ACCEPT     udp  --  eth0   *       x.x.x.x              0.0.0.0/0            udp spt:1194 ctstate RELATED,ESTABLISHED
    0     0 RETURN     all  --  tun0   *       10.9.8.5             0.0.0.0/0           
    0     0 RETURN     all  --  !tun0  *       127.0.0.0/8          0.0.0.0/0           
    0     0 RETURN     all  --  !tun0  *       10.0.0.0/8           0.0.0.0/0           
    0     0 RETURN     all  --  !tun0  *       172.16.0.0/12        0.0.0.0/0           
  883 97794 RETURN     all  --  !tun0  *       192.168.0.0/16       0.0.0.0/0           
    0     0 DROP       all  --  tun0   *       127.0.0.0/8          0.0.0.0/0           
    3   252 DROP       all  --  tun0   *       10.0.0.0/8           0.0.0.0/0           
    0     0 DROP       all  --  tun0   *       172.16.0.0/12        0.0.0.0/0           
    0     0 DROP       all  --  tun0   *       192.168.0.0/16       0.0.0.0/0           
   48 10464 RETURN     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain VPNFAILSAFE_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  110 26563 ACCEPT     udp  --  *      eth0    0.0.0.0/0            x.x.x.x       udp dpt:1194 ctstate NEW,RELATED,ESTABLISHED
    0     0 RETURN     all  --  *      tun0    0.0.0.0/0            10.9.8.5            
    0     0 RETURN     all  --  *      !tun0   0.0.0.0/0            127.0.0.0/8         
    0     0 RETURN     all  --  *      !tun0   0.0.0.0/0            10.0.0.0/8          
    0     0 RETURN     all  --  *      !tun0   0.0.0.0/0            172.16.0.0/12       
  882 64250 RETURN     all  --  *      !tun0   0.0.0.0/0            192.168.0.0/16      
   93 12694 RETURN     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0           
   94  7776 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Support for OpenBSD

Hello

It would be wonderful if vpnfailsafe.sh could be made to work on OpenBSD.

Thanks in advance for your time and effort.

Support for IPv6

Hi @wknapik

This is a feature request. May I ask that vpnfailsafe.sh be made to work with IPv6 as well?

Thanks.

Connection tracking?

Hi @wknapik

I wish to know if vpnfailsafe.sh is able to do the following:

iptables -A INPUT -p tcp -m tcp -m conntrack -s 1.2.3.4 -i eth0 --sport 1194 -j ACCEPT  --ctstate ESTABLISHED

If the current version of vpnfailsafe does not have it, would it be possible for you to incorporate it?

Thanks.

Antergos arch based system

I have tried your script today, installed from AUR. I'm running airvpn on the command line. When I connect to the server it seems nothing is happening. I mean nothing saved in /etc/hosts, /etc/resolv.conf is not updated, neither my iptables rules. But no errors in the console when I 'm connecting to my VPN, and no sign of vpnfailsafe on stdout. When I run the script alone it reports an error : ./vpnfailsafe.sh: ligne 26: untrusted_ip : variable sans liaison (variable without link), but maybe it's normal. T
Wed Nov 30 20:59:00 2016 OpenVPN 2.3.13 x86_64.txt
My interface is dev tun.
I have modified my connection scripts to include vpnfaisafe, so can you tell me what I did wrong ?

Custom DNS

Not sure if this is in scope, but would it be possible to route a custom DNS protocol, like DNSCrypt (supports both authenticated and anonymized DNS), over the tunnel? Or have something like described in this guide?

This could also be useful for the DNS-over-HTTPS and DNS-over-TLS protocols. These protocols only support authentication, no anonymization, though.

Not working on musl

First of all, thank you first for this script. I've been using it successfully on Void Linux with glibc for several months now.

However, when I try to use vpnfailsafe on Void Linux musl libc, openvpn will not connect. I double checked the provided AUR PKGBUILD to make sure that all dependencies are installed.

The separate project update-resolv-conf.sh works fine though. Any idea what this problem could be? The openvpn output seems to be almost the same on glibc and musl, but I can upload some logs later if that helps.

Restart pause

Hi @wknapik

I tested vpnfailsafe with many config files from VPN Gate and discovered that a weird behavior manifests itself. (The behavior in question is reproducible. It does not appear when I use config files without vpnfailsafe and config files with iptables firewall rules.)

The behavior is this: there is at least a "Restart pause, 5 seconds" before "Initialization Sequence Completed" stage is reached. With some config files, "Restart pause, 5 seconds" happened a few times before I had to terminate the connection manually.

Please find below the complete connection log:

user@home:~$ cd folder
user@home:~/folder$ sudo openvpn vpngate_86.13.109.212_tcp_1309-uk-10d.ovpn[sudo] password for user: 
Sun Dec  4 07:01:36 2016 OpenVPN 2.3.13 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov  3 2016
Sun Dec  4 07:01:36 2016 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Sun Dec  4 07:01:36 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Dec  4 07:01:36 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Dec  4 07:01:36 2016 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sun Dec  4 07:01:36 2016 Attempting to establish TCP connection with [AF_INET]86.13.109.212:1309 [nonblock]
Sun Dec  4 07:01:37 2016 TCP connection established with [AF_INET]86.13.109.212:1309
Sun Dec  4 07:01:37 2016 TCPv4_CLIENT link local: [undef]
Sun Dec  4 07:01:37 2016 TCPv4_CLIENT link remote: [AF_INET]86.13.109.212:1309
Sun Dec  4 07:01:37 2016 TLS: Initial packet from [AF_INET]86.13.109.212:1309, sid=0f27c463  35d1m00
Sun Dec  4 07:01:38 2016 VERIFY OK: depth=0, CN=jwncomwcom.us, O=otnomc qontocn, C=US
Sun Dec  4 07:01:40 2016 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Dec  4 07:01:40 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec  4 07:01:40 2016 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Dec  4 07:01:40 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec  4 07:01:40 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Dec  4 07:01:40 2016 [jwncomwcom.us] Peer Connection Initiated with [AF_INET]86.13.109.212:1309
Sun Dec  4 07:01:42 2016 SENT CONTROL [jwncomwcom.us]: 'PUSH_REQUEST' (status=1)
Sun Dec  4 07:01:43 2016 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.13 10.211.1.14,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.14,redirect-gateway def1'
Sun Dec  4 07:01:43 2016 OPTIONS IMPORT: timers and/or timeouts modified
Sun Dec  4 07:01:43 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sun Dec  4 07:01:43 2016 OPTIONS IMPORT: route options modified
Sun Dec  4 07:01:43 2016 OPTIONS IMPORT: route-related options modified
Sun Dec  4 07:01:43 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Dec  4 07:01:43 2016 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=a1:02:d3:71:10:b3
Sun Dec  4 07:01:43 2016 TUN/TAP device tun0 opened
Sun Dec  4 07:01:43 2016 TUN/TAP TX queue length set to 100
Sun Dec  4 07:01:43 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Dec  4 07:01:43 2016 /sbin/ip link set dev tun0 up mtu 1500
Sun Dec  4 07:01:43 2016 /sbin/ip addr add dev tun0 local 10.211.1.13 peer 10.211.1.14
Sun Dec  4 07:01:43 2016 /etc/openvpn/vpnfailsafe.sh tun0 1500 1559 10.211.1.13 10.211.1.14 init
Sun Dec  4 07:01:57 2016 /sbin/ip route add 86.13.109.212/32 via 192.168.1.1
RTNETLINK answers: File exists
Sun Dec  4 07:01:57 2016 ERROR: Linux route add command failed: external program exited with error status: 2
Sun Dec  4 07:01:57 2016 /sbin/ip route add 0.0.0.0/1 via 10.211.1.14
RTNETLINK answers: File exists
Sun Dec  4 07:01:57 2016 ERROR: Linux route add command failed: external program exited with error status: 2
Sun Dec  4 07:01:57 2016 /sbin/ip route add 128.0.0.0/1 via 10.211.1.14
RTNETLINK answers: File exists
Sun Dec  4 07:01:57 2016 ERROR: Linux route add command failed: external program exited with error status: 2
Sun Dec  4 07:01:57 2016 Initialization Sequence Completed
Sun Dec  4 07:01:57 2016 Connection reset, restarting [0]
Sun Dec  4 07:01:57 2016 SIGUSR1[soft,connection-reset] received, process restarting
Sun Dec  4 07:01:57 2016 Restart pause, 5 second(s)
Sun Dec  4 07:02:02 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Dec  4 07:02:02 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Dec  4 07:02:02 2016 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sun Dec  4 07:02:02 2016 Attempting to establish TCP connection with [AF_INET]86.13.109.212:1309 [nonblock]
Sun Dec  4 07:02:03 2016 TCP connection established with [AF_INET]86.13.109.212:1309
Sun Dec  4 07:02:03 2016 TCPv4_CLIENT link local: [undef]
Sun Dec  4 07:02:03 2016 TCPv4_CLIENT link remote: [AF_INET]86.13.109.212:1309
Sun Dec  4 07:02:04 2016 TLS: Initial packet from [AF_INET]86.13.109.212:1309, sid=c60c149a d852f70d
Sun Dec  4 07:02:04 2016 VERIFY OK: depth=0, CN=jwncomwcom.us, O=otnomc qontocn, C=US
Sun Dec  4 07:02:06 2016 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Dec  4 07:02:06 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec  4 07:02:06 2016 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Dec  4 07:02:06 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec  4 07:02:06 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Dec  4 07:02:06 2016 [jwncomwcom.us] Peer Connection Initiated with [AF_INET]86.13.109.212:1309
Sun Dec  4 07:02:08 2016 SENT CONTROL [jwncomwcom.us]: 'PUSH_REQUEST' (status=1)
Sun Dec  4 07:02:08 2016 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.13 10.211.1.14,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.14,redirect-gateway def1'
Sun Dec  4 07:02:08 2016 OPTIONS IMPORT: timers and/or timeouts modified
Sun Dec  4 07:02:08 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sun Dec  4 07:02:08 2016 OPTIONS IMPORT: route options modified
Sun Dec  4 07:02:08 2016 OPTIONS IMPORT: route-related options modified
Sun Dec  4 07:02:08 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Dec  4 07:02:08 2016 Preserving previous TUN/TAP instance: tun0
Sun Dec  4 07:02:08 2016 Initialization Sequence Completed

I do not need an immediate answer to the above. Please reply to my issue when you have access to the internet.

Ubuntu 18.04 LTS

Does vpnfailsafe work for Ubuntu 18.04 LTS without any issues?
I asking this because they replaced ifupdown, resolvconf, and others with networkd, resolved, and their homegrown netplan.
Can anyone using vpnfailsafe confirm that it works on Ubuntu 18.04 LTS without issues?

resolvconf error

resolvconf: Error: Command not recognized
Usage: resolvconf (-d IFACE|-a IFACE|-u|--enable-updates|--disable-updates|--updates-are-enabled)
/etc/openvpn/vpnfailsafe.sh:79: `echo -e "${domains/ /search }\n${ns// /$'\n'nameserver }"|resolvconf -xa "$dev"' returned 99
Tue Oct 24 22:47:40 2017 us=8878 WARNING: Failed running command (--up/--down): external program exited with error status: 99
Tue Oct 24 22:47:40 2017 us=8905 Exiting due to fatal error

I get this error on Linux mint, any idea why?

Regards,
Dan

Resolv.conf keeping old dns

Hi, excellent script.

Initially I was having some issues with the routes, then I added this

route-noexec

before the script (like in your example) and it's now all working fine in regards to routes.

I don't know If I understood correctly the idea of the resolv.conf, but for me instead of just keeping the VPN dns address, it's just appending it to the config and keeping all my old ones.

Maybe it's not something that the script is doing (as when I run without the script it still does that), but maybe there's some config on my VPN that is adding it and I have to remove something or add something explicitly (like the route-noexec).

Besides that, even after editing by hand my resolv.conf and removing the other DNSs it still takes a while for it to persist. Even after that, it shows only my VPN DNS and a second one that is IP6 (this in ipleak.net), not sure if this is normal or not.

Also, you mention on the read-me a way of restoring the firewall to the previous config with an init config, can you point me where I can find it? Right now I'm removing all the rules and them re-enabling it with the GUI, it's a bit troublesome but still doable.

Thanks for this script.

Ah, forgot to mention. I'm using Arch Linux, and I have ipv6 disabled.

systemd-networkd /etc/hosts not being updated with the vpn server IP/DNS

Hi wknapik,

it's me again, hope you are doing well.

I've recently switched from using networkmanager and a dispatcher to just systemd-networkd with the openvpn service started at boot but I am having issues with vpnfilesafe and was wondering if you have ever encountered something like this (as I am having trouble figuring out what is going on).

The main issue appears to be the vpnfailsafe not inserting the vpn remote address into the /etc/hosts so when the connection goes down (say I am coming back from sleep) I am unable to connect back to the vpn unless I clear the iptables rules.

I am running arch linux with systemd-networkd and systemd-resolved and both the iptables rules and the /etc/resolved.conf are correctly updated by your script.

The args passed to the vpnfailsafe on up/down are the following:
tun0
1500
1553
XX.XX.16.5
255.255.252.0
init

and from what I can tell the vpnfailsafe never goes into this:
if remote_entries="$(getent -s dns hosts "${cnf_remote_domains[@]}"|grep -v :)"; then

I am puzzled, any help would be really appreciated :)

Thank you

not working, vpnfailsafe error

Hello, new fresh install on archlinux with openvpn. tunnel connects fine. Installed vpnfailsafe and get this:

Feb 23 15:44:09 val openvpn[550]: /etc/openvpn/vpnfailsafe.sh:132: `iptables -A "VPNFAILSAFE_$*" -p "${!proto%-client}" -"$sd" "${remotes[i-1]}" --"$sd"port "${!port}" "${suf[@]}"' returned 2
Feb 23 15:44:09 val openvpn[545]: WARNING: Failed running command (--up/--down): external program exited with error status: 2
Feb 23 15:44:09 val openvpn[545]: Exiting due to fatal error
Feb 23 15:44:09 val systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Feb 23 15:44:09 val systemd[1]: [email protected]: Failed with result 'exit-code'.

Any idea what I can try?
Thanks!

Unable to reach my localnets (missing routes in system)

I'm trying to setup the shell script on one of my LXC containers and I am facing some challenges with the way the default routes are setup. Please bare with me as I tried to make some sense of the script.

I think the problem is that when the script runs on successful openvpn connection, the "ip route add" for my localnets is not being properly setup - I think the expectation is for the following networks to be locally routed via the non-tunnel interface and via the normal gateway?

127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

Before the script runs on the system, here's what my routing table looks like:

# ip route show
default via 172.32.0.1 dev eth0
172.32.0.0/24 dev eth0 proto kernel scope link src 172.32.0.89

Here's after vpnfailsafe.sh runs

# ip route show
0.0.0.0/1 via 10.7.7.1 dev tun0
default via 172.32.0.1 dev eth0
10.7.7.0/24 dev tun0 proto kernel scope link src 10.7.7.2
38.95.110.67 via 172.32.0.1 dev eth0
38.95.110.69 via 172.32.0.1 dev eth0
38.95.110.71 via 172.32.0.1 dev eth0
38.95.110.73 via 172.32.0.1 dev eth0
38.95.110.75 via 172.32.0.1 dev eth0
38.95.110.77 via 172.32.0.1 dev eth0
128.0.0.0/1 via 10.7.7.1 dev tun0
172.32.0.0/24 dev eth0 proto kernel scope link src 172.32.0.89

Here's the log from the openvpn execution:

Mon Nov 19 02:46:43 2018 TUN/TAP device tun0 opened
Mon Nov 19 02:46:43 2018 TUN/TAP TX queue length set to 100
Mon Nov 19 02:46:43 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Nov 19 02:46:43 2018 /sbin/ip link set dev tun0 up mtu 1500
Mon Nov 19 02:46:43 2018 /sbin/ip addr add dev tun0 10.7.7.2/24 broadcast 10.7.7.255
Mon Nov 19 02:46:43 2018 /etc/openvpn/vpnfailsafe.sh tun0 1500 1586 10.7.7.2 255.255.255.0 init
Too few arguments.
Too few arguments.
Mon Nov 19 02:46:43 2018 /sbin/ip route add 38.95.110.77/32 via 172.32.0.1
RTNETLINK answers: File exists
Mon Nov 19 02:46:43 2018 ERROR: Linux route add command failed: external program exited with error status: 2
Mon Nov 19 02:46:43 2018 /sbin/ip route add 0.0.0.0/1 via 10.7.7.1
RTNETLINK answers: File exists
Mon Nov 19 02:46:43 2018 ERROR: Linux route add command failed: external program exited with error status: 2
Mon Nov 19 02:46:43 2018 /sbin/ip route add 128.0.0.0/1 via 10.7.7.1
RTNETLINK answers: File exists
Mon Nov 19 02:46:43 2018 ERROR: Linux route add command failed: external program exited with error status: 2
Mon Nov 19 02:46:43 2018 Initialization Sequence Completed

From the WIKI - I am not worried about "RTNETLINK answers: File exists" - I am unsure of the other errors but I think maybe the script is not working on debian because "route" command doesn't exist?

It's weird because the other routes seem to be added just fine, it just seems like my localnets are not.

POSIX instead of bash

This is a feature request.
It would be awesome to port the script to not depend on bash, but be posix compliant.

resolvconf: Error: Command not recognized

resolvconf: Error: Command not recognized
Usage: resolvconf (-d IFACE|-a IFACE|-u|--enable-updates|--disable-updates|--updates-are-enabled)
/etc/openvpn/vpnfailsafe.sh:79: `echo -e "${domains/ /search }\n${ns// /$'\n'nameserver }"|resolvconf -xa "$dev"' returned 99
WARNING: Failed running command (--up/--down): external program exited with error status: 99

Debian stretch 9.2.1
Resolvconf version 1.79

Rewrite using nftables

It seems that nftables is certainly going to be the future.

I think this could drastically simplify things too, especially when considering IPv6 support #10

Should also be noted that a couple of major distributions are now using nftables by default:

More information can be found nftables (archwiki) nftables (gentoo). Seems to be available for alplinelinux too.

systemd-resolved compatibility?

Are there plans to support systemd-resolved?

Sorry, I am not too knowledgeable in this realm, but from some googling, it seems that systemd-resolved is supposed to supplant resolvconf and while the two can coexist, there might be issues.

Thoughts?

"IP-leak" before first vpn connection

Am I right neither the main script (called by openvpn up/down) nor the extras (used manually) prevents outgoing connections (other than to the vpn server( before the first/initial openvpn connection?

I.e. if openvpn was suppose to autoconnect on boot/login, but never does so (vpn server down, systemd unit failing, etc.) then one would unknowingly be using a non-vpn connection, making ones real ip-address visible on outgoing traffic.

I suppose it is a few simple iptables calls needed to only allow connection to the vpn server on your normal interface (eth0, wlp0s1, etc.). Maybe this could be included in extras/basic_firewall.sh?

Being able to pass traffic through the wan in the table marked with a different source IP address.

There are 2 WAN interfaces.

WAN1 => fwmark 1
WAN2 => fwmark 2

lo998 has 2 different IP addresses. 127.0.88.1 will be used for WAN1, and 127.0.88.2 will be used for WAN2.

WAN1 => gateway => 1010.12.1
WAN1 => ip address => 10.10.12.254

WAN2 => gateway => 192.168.1.1
WAN2 => ip address => 192.168.1.3

When I run "ping -I 127.0.88.1 8.8.8.8", I want it to go through WAN1, and when I run "ping -I 127.0.88.2 8.8.8.8", I want it to go through WAN2. What should be the necessary iptables rules for this?

lo:998:0: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.88.1 netmask 255.255.255.255
loop txqueuelen 1000 (Local Loopback)

lo:998:1: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.88.2 netmask 255.255.255.255
loop txqueuelen 1000 (Local Loopback)

Another app is currently holding the xtables lock.

Hi,
Lately I have the following error when starting an openvpn client using vpnfailsafe.sh as up/down script:

Jan 19 09:39:17 openvpn[39322]: /etc/openvpn/vpnfailsafe.sh tun0 1500 1553 AAA.BBB.CCC.DDD 255.255.255.0 init
Jan 19 09:39:17 openvpn[39491]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Jan 19 09:39:17 openvpn[39391]: /etc/openvpn/vpnfailsafe.sh:114: `iptables -N "VPNFAILSAFE_$*"' returned 4
Jan 19 09:39:17 openvpn[39322]: WARNING: Failed running command (--up/--down): external program exited with error status: 4
Jan 19 09:39:17 openvpn[39322]: Exiting due to fatal error

I am no iptables expert but as far as I understand there is a race condition somewhere and it suggests to add -w flag to (all?) iptables calls.

Should I do that to the script or is there a more elegant explanation/solution to this issue?

Thanks!

NB: As I was looking for an answer I stumbled upon this blog post that looks pretty close to my problem: https://utcc.utoronto.ca/~cks/space/blog/linux/IptablesWOptionFumbles

dns in resolv.conf different from the allowed route in iptables

Hi,
first thing first, thank you so much for the scripts and the time you spent on them, I really appreciate your work!

I have an issue that I am trying to debug without success and I would really appreciate your input on it.

When connecting to the VPN using the vpnfilesafe script I end up with a dns server in resolv.conf of XX.XX.16.1 and if I grep for XX.XX in iptables I end up with the following:

RETURN all -- XX.XX.48.0/22 0.0.0.0/0
RETURN all -- 0.0.0.0/0 XX.XX.48.0/22

I assume this is preventing the VPN connection from accessing the DNS server assigned by the VPN provider so I get no internet connection.

Sometimes restarting the connection fixes it but most of the times it doesn't. Ip route get 8.8.8.8 returns the following:

8.8.8.8 via XX.XX.48.1 dev tun0 src XX.XX.48.9 uid 1000

Thanks in advance and keep up the great work!

Unbound variable

Below is a portion of the error message when I was trying to connect to a VPN server:

Fri Nov 25 00:00:00 2016 /etc/openvpn/vpnfailsafe.sh tap0 1502 1578 10.10.20.3 255.255.255.0 init
/etc/openvpn/vpnfailsafe.sh:38: `local -ar remote_ips=($(getent -s files hosts "${remotes[@]}"|cut -d' ' -f1))' returned 2
/etc/openvpn/vpnfailsafe.sh: line 51: remote_ips[@]: unbound variable
/etc/openvpn/vpnfailsafe.sh: line 40: remote_ips[@]: unbound variable
Fri Nov 25 00:00:00 2016 WARNING: Failed running command (--up/--down): external program exited with error status: 1
Fri Nov 25 00:00:00 2016 Exiting due to fatal error

Some useful information:

  1. Debian 8, 64-bit (updates applied whenever available from Debian)
  2. OpenVPN 2.3.13 (openvpn_2.3.13-jessie0_amd64.deb)
  3. resolvconf (version 1.76.1)
  4. /etc/openvpn/update-resolv-conf
  5. /etc/openvpn/vpnfailsafe.sh

Potential DNS leak after disconnection from VPN if DNS for undelying device is on private network

When the tunnel is closed, DNS settings are restored to the original state, but firewall rules prevent any outgoing traffic to the internet (other than to the VPN server). Traffic to private networks, however, is unaffected. That means, that, if the current DNS server is on a private network, queries will not be blocked.

If an attacker managed to trigger a DNS query on the user's system, after disconnection from the VPN, despite the lack of internet connectivity, the user's DNS server address would be exposed.

This can be mitigated by explicitly blocking all outgoing connections to port 53, unless they exit through the VPN tunnel. There are legitimate use cases where this would not be desirable, but those should be rare in practice and don't offer enough of an argument against the mitigation.

openwrt version

Looks like a great script, would be nice to have a version of it for openwrt. I think it might need a bit of modification as openwrt is quite minimal and doesnt have getent. Please consider it :) thanks!

Support for TAP device

Hello,

Would it be possible for vpnfailsafe.sh to work with TAP device as well?

Thanks for your work on a fine script.

/etc/openvpn/vpnfailsafe.sh:79: `echo -e "${domains/ /search }\n${ns// /$'\n'nameserver }"|resolvconf -xa "$dev"' returned 99

When running openvpn /etc/openvpn/myconf.conf got this
...
Fri Sep 22 17:25:18 2017 /etc/openvpn/vpnfailsafe.sh tun0 1500 1602 10.8.0.2 255.255.255.0 init
resolvconf: Error: Command not recognized
Usage: resolvconf (-d IFACE|-a IFACE|-u|--enable-updates|--disable-updates|--updates-are-enabled)
/etc/openvpn/vpnfailsafe.sh:79: `echo -e "${domains/ /search }\n${ns// /$'\n'nameserver }"|resolvconf -xa "$dev"' returned 99
Fri Sep 22 17:25:18 2017 WARNING: Failed running command (--up/--down): external program exited with error status: 99

Problem during connection.

Hi!
I'm trying to use the script, but something goes wrong during connection.
I installed via AUR.
The output of openvpn after the init of vpnfailsafe.sh is:
/usr/lib/resolvconf/libc: line 230: /etc/resolv.conf: No such file or directory Fri Jun 16 09:25:20 2017 /usr/bin/ip route add "VPN IP"/32 via 192.168.0.1 RTNETLINK answers: File exists

The connection never completed and I hasn't access to internet.
What should I do?
Thanks!

Option to restore system as before --up was called

Your script is used in https://github.com/nstinus/nordvpn.

In our use case, people could want to use vpnfailsafe to ensure that an active service having a dropping connection is still safe but also having the option to stop the openvpn service in which case, they might want to come back to how it was before and still be able to connect to the internet. That means doing some things the documentation explicitly mentions as not being done (removal of firewall rules a.s.o.).
Is it reasonable? Is there a reason why it is not implemented?

Auto re-connect every time the conection drops.

Hi! I've been using the script since a while and it works great, thank you!
But every time that my Wifi connection drops, I need to manually invoke a "clear iptables" script, followed by the command of openvpn with the vpnsailsafe script included:
sudo openvpn --config config.ovpn --script-security 2 --up /etc/openvpn/vpnfailsafe.sh --down /etc/openvpn/vpnfailsafe.sh
Is there any way to automatize this process when the connection is lost?
Thanks again!

pi@raspberrypi:~ $ curl ipinfo.io/ip curl: (6) Could not resolve host: ipinfo.io

Fresh install, works fine without vpnfailsafe, whenever I run it with vpnfailsafe I get:
pi@raspberrypi:~ $ curl ipinfo.io/ip curl: (6) Could not resolve host: ipinfo.io
log:
root@raspberrypi:~# sudo openvpn --config /etc/openvpn/default.conf Wed Apr 18 01:07:22 2018 Unrecognized option or missing or extra parameter(s) in /etc/openvpn/default.conf:20: block-outside-dns (2.4.0) Wed Apr 18 01:07:22 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017 Wed Apr 18 01:07:22 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08 Wed Apr 18 01:07:22 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Wed Apr 18 01:07:22 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Apr 18 01:07:22 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Apr 18 01:07:22 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]35.196.104.252:1194 Wed Apr 18 01:07:22 2018 Socket Buffers: R=[163840->163840] S=[163840->163840] Wed Apr 18 01:07:22 2018 UDP link local: (not bound) Wed Apr 18 01:07:22 2018 UDP link remote: [AF_INET]35.196.104.252:1194 Wed Apr 18 01:07:22 2018 TLS: Initial packet from [AF_INET]35.196.104.252:1194, sid=053647db f02a61dd Wed Apr 18 01:07:22 2018 VERIFY OK: depth=1, CN=cn_triZgPlvbe8lMIUF Wed Apr 18 01:07:22 2018 Validating certificate key usage Wed Apr 18 01:07:22 2018 ++ Certificate has key usage 00a0, expects 00a0 Wed Apr 18 01:07:22 2018 VERIFY KU OK Wed Apr 18 01:07:22 2018 Validating certificate extended key usage Wed Apr 18 01:07:22 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Wed Apr 18 01:07:22 2018 VERIFY EKU OK Wed Apr 18 01:07:22 2018 VERIFY X509NAME OK: CN=server_GizGQKWqXhHCzsNt Wed Apr 18 01:07:22 2018 VERIFY OK: depth=0, CN=server_GizGQKWqXhHCzsNt Wed Apr 18 01:07:23 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES128-GCM-SHA256, 3072 bit RSA Wed Apr 18 01:07:23 2018 [server_GizGQKWqXhHCzsNt] Peer Connection Initiated with [AF_INET]35.196.104.252:1194 Wed Apr 18 01:07:24 2018 SENT CONTROL [server_GizGQKWqXhHCzsNt]: 'PUSH_REQUEST' (status=1) Wed Apr 18 01:07:24 2018 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 9.9.9.9,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.5 255.255.255.0' Wed Apr 18 01:07:24 2018 OPTIONS IMPORT: timers and/or timeouts modified Wed Apr 18 01:07:24 2018 OPTIONS IMPORT: --ifconfig/up options modified Wed Apr 18 01:07:24 2018 OPTIONS IMPORT: route options modified Wed Apr 18 01:07:24 2018 OPTIONS IMPORT: route-related options modified Wed Apr 18 01:07:24 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed Apr 18 01:07:24 2018 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Wed Apr 18 01:07:24 2018 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Apr 18 01:07:24 2018 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Wed Apr 18 01:07:24 2018 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Apr 18 01:07:24 2018 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:f1:f9:09 Wed Apr 18 01:07:24 2018 TUN/TAP device tun1 opened Wed Apr 18 01:07:24 2018 TUN/TAP TX queue length set to 100 Wed Apr 18 01:07:24 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Wed Apr 18 01:07:24 2018 /sbin/ip link set dev tun1 up mtu 1500 Wed Apr 18 01:07:24 2018 /sbin/ip addr add dev tun1 10.8.0.5/24 broadcast 10.8.0.255 Wed Apr 18 01:07:24 2018 /etc/openvpn/vpnfailsafe.sh tun1 1500 1569 10.8.0.5 255.255.255.0 init Too few arguments. Too few arguments. Wed Apr 18 01:07:24 2018 /sbin/ip route add 35.196.104.252/32 via 192.168.1.1 RTNETLINK answers: File exists Wed Apr 18 01:07:24 2018 ERROR: Linux route add command failed: external program exited with error status: 2 Wed Apr 18 01:07:24 2018 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1 RTNETLINK answers: File exists Wed Apr 18 01:07:24 2018 ERROR: Linux route add command failed: external program exited with error status: 2 Wed Apr 18 01:07:24 2018 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1 RTNETLINK answers: File exists Wed Apr 18 01:07:24 2018 ERROR: Linux route add command failed: external program exited with error status: 2 Wed Apr 18 01:07:24 2018 Initialization Sequence Completed

original iptables

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

NetworkManager

Does this script work with the OpenVPN plugin for NetworkManager?

Error log - Fatal error up script - vpnfailsafe.sh:104

Hi, this script seems what I was looking for, but have some issues on my Linux Mint - Open VPN.
At the end of the log you will find an error with the iptables command.

All dependencies refered in the PACKAGE where installed & updated.
If I could supply any other information, just ask.

Thanks in advance for your work !!

Log

Sun Oct 16 14:11:22 2016 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Sun Oct 16 14:11:22 2016 WARNING: file '/etc/openvpn/userauth.txt' is group or others accessible
Sun Oct 16 14:11:22 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Oct 16 14:11:22 2016 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sun Oct 16 14:11:22 2016 UDPv4 link local: [undef]
Sun Oct 16 14:11:22 2016 UDPv4 link remote: [AF_INET]99.99.99.99:53
Sun Oct 16 14:11:22 2016 TLS: Initial packet from [AF_INET]99.99.99.99:53, sid=03dc4848 6d1e7f00
Sun Oct 16 14:11:22 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Oct 16 14:11:22 2016 VERIFY OK: depth=1, C=SE, ST=QQ, L=FrootTown, O=FrootOrg, OU=changeme, CN=changeme, name=changeme, emailAddress=[email protected]
Sun Oct 16 14:11:22 2016 VERIFY OK: nsCertType=SERVER
Sun Oct 16 14:11:22 2016 Validating certificate key usage
Sun Oct 16 14:11:22 2016 ++ Certificate has key usage 00a0, expects 00a0
Sun Oct 16 14:11:22 2016 VERIFY KU OK
Sun Oct 16 14:11:22 2016 Validating certificate extended key usage
Sun Oct 16 14:11:22 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Oct 16 14:11:22 2016 VERIFY EKU OK
Sun Oct 16 14:11:22 2016 VERIFY OK: depth=0, C=SE, ST=QQ, L=FrootTown, O=FrootOrg, OU=changeme, CN=server, name=changeme, emailAddress=[email protected]
Sun Oct 16 14:11:26 2016 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1586', remote='link-mtu 1585'
Sun Oct 16 14:11:26 2016 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Sun Oct 16 14:11:26 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Oct 16 14:11:26 2016 Data Channel Encrypt: Using 384 bit message hash 'SHA384' for HMAC authentication
Sun Oct 16 14:11:26 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Oct 16 14:11:26 2016 Data Channel Decrypt: Using 384 bit message hash 'SHA384' for HMAC authentication
Sun Oct 16 14:11:26 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Oct 16 14:11:26 2016 [server] Peer Connection Initiated with [AF_INET]99.99.99.99:53
Sun Oct 16 14:11:28 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Oct 16 14:11:29 2016 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 111.22.33.1,redirect-gateway def1,block-outside-dns,route-gateway 111.22.33.1,topology subnet,ping 10,ping-restart 160,ifconfig 111.22.33.114 255.255.255.0'
Sun Oct 16 14:11:29 2016 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.3.2)
Sun Oct 16 14:11:29 2016 OPTIONS IMPORT: timers and/or timeouts modified
Sun Oct 16 14:11:29 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sun Oct 16 14:11:29 2016 OPTIONS IMPORT: route options modified
Sun Oct 16 14:11:29 2016 OPTIONS IMPORT: route-related options modified
Sun Oct 16 14:11:29 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Oct 16 14:11:29 2016 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=eth0 HWADDR=08:00:27:c2:06:39
Sun Oct 16 14:11:29 2016 TUN/TAP device tun0 opened
Sun Oct 16 14:11:29 2016 TUN/TAP TX queue length set to 100
Sun Oct 16 14:11:29 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Oct 16 14:11:29 2016 /sbin/ip link set dev tun0 up mtu 1500
Sun Oct 16 14:11:29 2016 /sbin/ip addr add dev tun0 111.22.33.114/24 broadcast 111.22.33.255
Sun Oct 16 14:11:29 2016 /etc/openvpn/vpnfailsafe.sh tun0 1500 1586 111.22.33.114 255.255.255.0 init
iptables v1.4.21: unknown protocol "tcp-client" specified
Try iptables -h' or 'iptables --help' for more information. /etc/openvpn/vpnfailsafe.sh:104:iptables -A "VPNFAILSAFE_$*" -p "${!proto}" -"$sd" "$remote" --"$sd"port "${!port}" ` returned 2
Sun Oct 16 14:11:30 2016 WARNING: Failed running command (--up/--down): external program exited with error status: 2
Sun Oct 16 14:11:30 2016 Exiting due to fatal error

OpenVPN Config

# This is just an example client config. vpnfailsafe should work with most
# configurations using `dev tun'.
client
dev tun
proto udp
# Static IP of the VPN server
remote 111.22.333.44 1194
cipher AES-256-CBC
# Ommitting route-noxec, or even using `redirect-gateway def1' should make no
# practical difference, but this is cleaner.
route-noexec
nobind
persist-key
persist-tun
auth-user-pass /etc/openvpn/auth.txt
ns-cert-type server
cipher AES-256-CBC
auth SHA384
server-poll-timeout 3
comp-lzo
verb 3
remote-cert-tls server
ping-restart 60
script-security 2
up /etc/openvpn/vpnfailsafe.sh
down /etc/openvpn/vpnfailsafe.sh
<ca>
-----BEGIN CERTIFICATE-----
yyy
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
zzz
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xxx
-----END PRIVATE KEY-----
</key>
<connection>
remote br.sss.com
port 53
proto udp
explicit-exit-notify 1
</connection>
<connection>
remote br.sss.com
port 443
proto tcp
</connection>

Allow connections to DNS servers outside the private IP range of the VPN the user connects to

My system is arch linux. I incorporated vpnfailsafe into openvpn but I can't ping or drill after I connect with openvpn:

[alp@archlinux ~]$ ping -v -c 1 -n google.com
ping: socket: Permission denied, attempting raw socket...
ping: socket: Permission denied, attempting raw socket...
ping: google.com: Name or service not known
[alp@archlinux ~]$ drill
Error: error sending query: Could not send or receive, because of network error

Traffic to vpn's dns server is routed through tun0 but I can't ping nameserver also:

[alp@archlinux ~]$ resolvconf -l
# resolv.conf from tun0
nameserver [ip]
[alp@archlinux ~]$ ip route get [ip]
[ip] via [ip1] dev tun0 src [ip2] uid 1000 
    cache

I know that the problem is related to vpnfailsafe because I can ping successfully if I remove vpnfailsafe and connect.

vpnfailsafe.sh fails with "unbound variable"

Hi, I'm trying to use this script with my Private Internet Access configs, provided by the AUR package private-internet-access-git - one example is as follows:

client
dev tun
proto udp
remote aus.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/private-internet-access/login.conf
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
auth-nocache
script-security 2
up /etc/openvpn/update-resolv-conf.sh
down /etc/openvpn/update-resolv-conf.sh
up /etc/openvpn/vpnfailsafe.sh # my addition
down /etc/openvpn/vpnfailsafe.sh # my addition

When I call openvpn --config /etc/openvpn/AU_Sydney.conf, I get the following:

Wed Nov  2 07:25:29 2016 Multiple --up scripts defined.  The previously configured script is overridden.
Wed Nov  2 07:25:29 2016 Multiple --down scripts defined.  The previously configured script is overridden.
Wed Nov  2 07:25:29 2016 OpenVPN 2.3.12 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug 24 2016
Wed Nov  2 07:25:29 2016 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Wed Nov  2 07:25:29 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Nov  2 07:25:29 2016 UDPv4 link local: [undef]
Wed Nov  2 07:25:29 2016 UDPv4 link remote: [AF_INET]168.1.6.54:1198
Wed Nov  2 07:25:29 2016 [0842bd2998fed6b55e1cf952a940c935] Peer Connection Initiated with [AF_INET]168.1.6.54:1198
Wed Nov  2 07:25:31 2016 TUN/TAP device tun0 opened
Wed Nov  2 07:25:31 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Nov  2 07:25:31 2016 /usr/bin/ip link set dev tun0 up mtu 1500
Wed Nov  2 07:25:31 2016 /usr/bin/ip addr add dev tun0 local 10.44.10.6 peer 10.44.10.5
Wed Nov  2 07:25:31 2016 /etc/openvpn/vpnfailsafe.sh tun0 1500 1558 10.44.10.6 10.44.10.5 init
/etc/openvpn/vpnfailsafe.sh: line 69: !opt: unbound variable
Wed Nov  2 07:25:31 2016 WARNING: Failed running command (--up/--down): external program exited with error status: 1
Wed Nov  2 07:25:31 2016 Exiting due to fatal error

Multiple --up and --down scripts, yes, but I don't care, vpnfailsafe should take priority. Note than when I do not include vpnfailsafe, this call to openvpn works fine.

However, curiously, if I launch the VPN connection via NetworkManager, vpnfailsafe appears to work, because I can see /etc/hosts populated.

Unfortunately I'm at a loss for how to diagnose this problem. Perhaps vpnfailsafe.sh could be made more robust? Any help appreciated.

Cannot ping VPN's nameserver

With the script active it adds the correct nameservers to resolv.conf but it seems the rules added to iptables stop me from even pinging the nameservers provided by the VPN. I would love to add my iptables but I am afraid of putting my ip so openly on the internet, maybe I can send it to you privately?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.