-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Maybe use iptables to implement kill switch option? #5
Comments
I'll have to go through this carefully to make sure it does what we expect. E.g. at a quick glace it seems odd to Looking at the ProtonVPN CLI source, I noticed that the kill switch can't be used together with split tunneling. I'm not sure what that is or what role it plays, so I have some research to do in this regard. Still, thanks for bringing this to my attention. We definitely don't want the container to use any connection other than the VPN. I'm inclined to have this enabled by default. |
Very nice, I appreciate you looking into it, since I'm not experienced with iptables at all! |
@walterl So if I understand correctly the container has already a kill switch build in |
Yo @walterl any chance this will be implemented? |
@matt-laird It's not on my radar, unfortunately. |
Since somehow the kill switch was not working for me inside the docker container, I looked at the
protonvpn-cli
source code and saw they are using plain iptables as well. So I modified the entrypoint to block everything except to LAN and theproton0
device.Keep in mind I have hardcoded my container subnet to
172.26.0.0/16
in mydocker-compose.yml
for this to work, but it should be very doable to fix this. I'm just providing this is a proof of concept, please let me know if I missed anything in the rules, from my understanding, this should block all traffic outside LAN on the main adapter and only allow that traffic throughproton0
.Since VPN users often do want their traffic to only go through the VPN tunnel, I imagine an environment variable might that triggers this might be useful maybe? I currently just have the above rules in the entrypoint script.
The text was updated successfully, but these errors were encountered: