Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
AkZwork2017-07-15 23:09:11
openvpn
AkZwork, 2017-07-15 23:09:11

How to remove all routes and install only OpenVPN?

Good afternoon.
Help me create a script (I'll add it to autoload) that will remove the default route and add a route only for OpenVPN. So that when OpenVPN crashes, traffic does not go directly.
There is:

enp1s0
lo
tun0
wlp2s0 (wifi)

route with VPN enabled:
IP
Destination Gateway Protocol Core Routing Table Genmask Flags Metric Ref Use Iface
default 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
default 192.168.1.1 0.0.0.0 UG 600 0 0 wlp2s0
10.8.0.0 * 255.255.255.0 U 0 0
2.tun0 .0.0 10.8.0.1 128.0.0.0 UG 0 0 0 0 Tun0
Link-LOCAL * 255.255.0.0 U 1000 0 0 WLP2S0
VPN_IP 192.168.1.1 255.255.255.255 UGH 0 0 0 WLP2S0
192.168.1.0 * 255.255.25.0 U 600 0 0 WLP2S0

We need a solution that will remove everything on Ubuntu that can fire traffic to the network and allow only OpenVPN (you can use the port, you can use tun0, or you can use IP, there is no difference)

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
Y
younghacker, 2017-07-24
@younghacker

Are you seriously sure that no one will add routes back when OpenVPN falls?
In my opinion, it would be more optimal and reliable to limit all outgoing and (passing if it is a router) traffic in such a way that:
0) all packets going to lo
are received 1) all packets going to tun+
are received 2) all packets going to enp1s0 are received if the target is an interface your VPN server and the port is equal to it and the protocol is the same.
3) all packets going to wlp2s0 were accepted if the target is the interface of your VPN server and the port is equal to it and the protocol is the same.
4) all packets with an error that reached this rule were discarded so that it was immediately clear that the route through the VPN fell off.
The rule must be the last one in the OUTPUT chain.
This approach will also protect you from a DNS leak.
Do not forget to also PUSH DNS from the VPN server, since the native one from the modem or wifi router will not be available.

push "redirect-gateway"
push "dhcp-option DNS 10.11.0.1"
push "explicit-exit-notify 3"

10.11.0.1 - in this case, your DNS is somewhere on the side of the VPN server. For reasons if you really VPN-thread, then Google does not report anything.
Command to check counters (when debugging)
Yes, DHCP should still be allowed if you are using non-static.

Similar questions
R
Roman Lee2019-01-18 09:00:08
How to set up OpenVPN on a server? 1Reply
K
Konkase2014-07-31 11:16:00
How to build a route in an IPv4 network through openvpn on IPv6? 3Reply
M
makaroshe2020-10-28 17:27:53
What should I do with the vars.bat file when deploying an OpenVPN server? 0Reply
B
bububububu2016-08-22 23:28:05
Windows xp + openvpn client is not blocking internet, how to fix? 1Reply
A
Andrey Evdokimov2022-03-17 14:17:07
Why is the config for Openvpn connect not authorized in the classic OpenVPN GUI? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question