Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maybe use iptables to implement kill switch option? #5

Open
LouKordos opened this issue Jun 20, 2021 · 5 comments · May be fixed by #41
Open

Maybe use iptables to implement kill switch option? #5

LouKordos opened this issue Jun 20, 2021 · 5 comments · May be fixed by #41
Labels
enhancement New feature or request

Comments

@LouKordos
Copy link

Since somehow the kill switch was not working for me inside the docker container, I looked at the protonvpn-cli source code and saw they are using plain iptables as well. So I modified the entrypoint to block everything except to LAN and the proton0 device.

Keep in mind I have hardcoded my container subnet to 172.26.0.0/16 in my docker-compose.yml for this to work, but it should be very doable to fix this. I'm just providing this is a proof of concept, please let me know if I missed anything in the rules, from my understanding, this should block all traffic outside LAN on the main adapter and only allow that traffic through proton0.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i proton0 -j ACCEPT
iptables -A INPUT -i proton0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 1194 -j ACCEPT
iptables -A INPUT -s 172.26.0.0/16 -i eth0 -j ACCEPT
iptables -A INPUT -s 10.8.0.0/16 -i eth0 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o proton0 -j ACCEPT
iptables -A OUTPUT -o proton0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
iptables -A OUTPUT -d 172.26.0.0/16 -o eth0 -j ACCEPT
iptables -A OUTPUT -d 10.8.0.0/16 -o eth0 -j ACCEPT

Since VPN users often do want their traffic to only go through the VPN tunnel, I imagine an environment variable might that triggers this might be useful maybe? I currently just have the above rules in the entrypoint script.
@walterl
Copy link
Owner

walterl commented Aug 29, 2021

I'll have to go through this carefully to make sure it does what we expect. E.g. at a quick glace it seems odd to ACCEPT all traffic on an interface (line 5), and then accept established connections (line 6).

Looking at the ProtonVPN CLI source, I noticed that the kill switch can't be used together with split tunneling. I'm not sure what that is or what role it plays, so I have some research to do in this regard.

Still, thanks for bringing this to my attention. We definitely don't want the container to use any connection other than the VPN. I'm inclined to have this enabled by default.

@walterl walterl added the enhancement New feature or request label Aug 29, 2021
@LouKordos
Copy link
Author

Very nice, I appreciate you looking into it, since I'm not experienced with iptables at all!

@BeatRoy
Copy link

BeatRoy commented Nov 29, 2021

@walterl So if I understand correctly the container has already a kill switch build in

@matt-laird
Copy link

Yo @walterl any chance this will be implemented?

@walterl
Copy link
Owner

walterl commented May 7, 2023

@matt-laird It's not on my radar, unfortunately.

@ProgramComputer ProgramComputer linked a pull request Sep 22, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add permanent kill switch and redirect stderr and stdout for up check ProgramComputer/proton-privoxy
4 participants
@walterl @matt-laird @BeatRoy @LouKordos