6

I'd like to use a VPN when on public wifi for security. In order to establish my OpenVPN tunnel I need a working network connection. When I connect to a public wifi access point there is a window of time after connecting but before my VPN client is launched, connects and updates the route table, during which traffic from my system travels unencrypted over public wifi.

How can I cause wifi to pass no traffic except traffic destined for my OpenVPN server during that window of time?

Extra credit : Is there a way to whitelist wifi networks as trusted (like my home or work wifi) such that all traffic is allowed as I won't be using a VPN?

gene_wood
  • 481

2 Answers2

2

I would try the following with iptables, in this order:

# Allow dhcp
sudo iptables -A OUTPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT

Allow outbound VPN traffic


sudo iptables -A OUTPUT -p udp --dport 1194 -d 0.0.0.0/0   -j ACCEPT"


DROP all outbound WIFI


sudo iptables -A OUTPUT -i wlan0 -j DROP

In office and home network you will have to run:

# Accept all outbound traffic
sudo iptables -D OUTPUT -i wlan0 -j DROP

There might be an iptables extension which will filter using WIFI SSID or some other router identifier, but I am not familiar with any

NOTE: you might need to update the ovpn remote port and/or WIFI network interface name

ofirule
  • 553
0

Maybe I have solution for you.

Create script in /etc/NetworkManager/dispatcher.d/vpn-up

#! /bin/bash

REQUIRED_CONNECTION_NAME="<name-of-connection>"
VPN_CONNECTION_NAME="<name-of-vpn-connection>"


activ_con=$(nmcli con status | grep "${REQUIRED_CONNECTION_NAME}")
activ_vpn=$(nmcli con status | grep "${VPN_CONNECTION_NAME}")
if [ "${activ_con}" -a ! "${activ_vpn}" ];
then
    nmcli con up id "${VPN_CONNECTION_NAME}"
fi

Witch mean, if is not connected to REQUIRED_CONNECTION_NAME aka home wifi dispecher will connect to vpn.

This will work only if you use NM for VPN connection. If not use NM for vpn connection, change in script nmcli con up id "${VPN_CONNECTION_NAME}" with you command for vpn connection to run.

2707974
  • 10,758