!!PLEASE NOTE: This software uses python console commands, you must have your local user binary in your path for it to be callable. Add the following to the end of your ~/.profile and restart or source the file.

export PATH=/home/{YOUR_USER_NAME}/.local/bin:$PATH

Your personal linux laptop is wide open to security risks.
I’ve put together some software to automate some level of protection, but first,
please read the articles we have gone through before on how to manually plug some holes,

You should read these three articles, and understand that these tips are for a local laptop only, if you apply this knowledge to a remote server you could lock yourself out.

Install ‘vpnkillswitch’

Tested on and for Ubuntu and Linux Mint

****** VPN providers like NordVPN and ProtonVPN do not support ipv6. ********
The RexBytes ‘vpnkillswitch‘ software will turn off ipv6 on your system to prevent data leaks.

Now Available On pypi.org

Python package ‘vpnkillswitch’ is now available at https://pypi.org/project/vpnkillswitch/ .
This package automates everything we have covered in the above 3 articles.

You can install it on your system using the following command.

[email protected]:~$ python3 -m pip install vpnkillswitch
Defaulting to user installation because normal site-packages is not writeable
Collecting vpnkillswitch
  Downloading vpnkillswitch-0.1.0-py3-none-any.whl (6.7 kB)
Installing collected packages: vpnkillswitch
Successfully installed vpnkillswitch-0.1.0

Also Available On GitHub


https://github.com/RexBytes/vpnkillswitch
0 forks.
0 stars.
0 open issues.

Recent commits:

OpenVPN Config File

If you have read the previous articles you will have noted that we will be working with OpenVPN, and their config file. The RexBytes ‘vpnkillswitch‘ software assumes you are, and also assumes your default VPN virtual device is the OpenVPN default named ‘tun‘, you can see this name if you open your OpenVPN config file.


client
dev tun    <----- HERE IT IS
proto udp

You can check that your system is indeed running a VPN tunneling device of this name using the following command in a terminal.

[email protected]:~$ ifconfig
docker0: ...

enp0s3: ...
lo: ...
tun0: ...     <----- HERE IS YOUR VIRTUAL TUNNELING DEVICE

I have left out the detailed output, but you can see that I am running an OpenVPN tunnel, and my device name is ‘tun0’, which is fine.

vpnkillswitch Usage

Go ahead and run the help for vpnskillswitch command after you have installed it,

[email protected]:~$ vpnkillswitch -h
usage: vpnkillswitch [-h]
                     (--on | --off | --protect | --vpn | --docker | --flush | --nuke)
                     [-g]

VPN Kill Switch

options:
  -h, --help      show this help message and exit

protection:
  protection arguments

  --on            Full protection, activates vpn killswitch and docker
                  killswitch
  --off           Turns off full protection
  --protect       Blocks inward traffic unless related and established
  --vpn           Turn on vpn killswitch only
  --docker        Turn on docker killswitch only
  --flush         Flush/Delete Rexbytes additions to your filewall, sets
                  ACCEPT on all chains too.
  --nuke          WARNING, this will reset your iptables to allow all traffic

granularity:
  option for more granular port lockdown/allow

  -g, --granular  Creates a more granular iptables ruleset

–nuke WARNING DO NOT USE

I would stay away from the ‘–nuke‘ option and use it as a last resort to restore network access to your laptop. ‘–nuke‘ will delete ALL existing iptable firewall rules, even for other applications, but it will unblock traffic… please check the general network status before resorting to this option.

–on

‘–on’ will turn on the kill switch for your OpenVPN and also Docker, it will also run ‘–protect’.
You can use the switch ‘-g‘ which will create a more granular iptable, which you can add or remove port access by edit the bash files described at the end of this article. It is recommended to use ‘–flush’ if jumping between granular and non granular options.

–off

‘–off’ will remove references to your RexBytes iptables chains. You can re-enable your protection by running the ‘–on’ switch, ‘–on’ effectively re-adds the references to your chains which is why you should use ‘–flush’ if you want to change to or back from a more granular iptables.

–protect

‘–protect’ isn’t a killswitch, it does give your system the most basic protection, which is staying quiet on a network and not responding to traffic it did not originally request.

–vpn

‘–vpn’ will turn on the killswitch for your OpenVPN connection only, by adding the appropriate chain and rules.

–docker

‘–docker’ will turn on the killswitch for your Docker chain only, by adding the appropriate chain and rules.

–flush

‘–flush’ will turn off all rules, all chains, delete chains, delete systemd unit files and the bash files.
Removing all signs of ‘vpnkillswitch‘ from your system, leaving behind your original iptables state.
On system restart no scripts will be run.

You will be asked for your sudo password when using any of these switches as editing iptables needs root privileges.

The RexBytes ‘vpnkillswitch‘ package will create the following iptable chains for you,

[email protected]:/home/ubuntu# iptables -L | grep 'Chain RB_'
Chain RB_DOCKER_VPN_KILL_SWITCH (1 references)
Chain RB_OUTPUT_VPN_KILL_SWITCH (1 references)
Chain RB_RELATED_AND_ESTABLISHED (1 references)

and create references in the default chains (INPUT,OUTPUT,FORWARD), and docker chains (DOCKER-USER), that point to these new RexByte chains.

Turning off, or flushing ‘vpnkillswitch‘ will either remove RexBytes references, or also delete RexBytes ipchain tables, and so leaving your original iptable rules in place.

The RexBytes ‘vpnkillswitch‘ also creates the appropriate systemd files and enables these services for you, so that on restart your iptable rules are in place.

Run vpnkillswitch –protect Now!

You may not even have setup a VPN, or docker on your system, but at the very least you should only allow access to your machine on connections that are Related, or Established .

If you have a freshly installed Linux system and check your iptables you will see, as mentioned in previous articles, you are fully open.

[email protected]:~# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

You should run the following command,

[email protected]:~$ vpnkillswitch --protect
my_args.protect:True
[sudo] password for ubuntu:      
Creating RB_RELATED_AND_ESTABLISHED...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
Created symlink /etc/systemd/system/network.target.wants/rexbytes_protect.service → /etc/systemd/system/rexbytes_protect.service.

if you list your iptables you will now see that a new RB_RELATED_AND_ESTABLISHED chain has been created, and that a reference to that chain has been inserted in the INPUT chain.

[email protected]:~# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination       
    0     0 RB_RELATED_AND_ESTABLISHED  all  --  any    any     anywhere             anywhere   

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain RB_RELATED_AND_ESTABLISHED (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED

THIS IS THE BARE MINIMUM SECURITY YOU SHOULD HAVE FOR YOUR LINUX LAPTOP

You can undo these changes if you like with the following command,

[email protected]:~$ vpnkillswitch --flush
my_args.flush:True, granularity:False
Removed /etc/systemd/system/network.target.wants/rexbytes_protect.service.
Failed to disable unit: Unit file rexbytes_vpn4killswitch.service does not exist.
Failed to disable unit: Unit file rexbytes_dockerkillswitch.service does not exist.
off-D
iptables v1.8.7 (nf_tables): Chain 'RB_OUTPUT_VPN_KILL_SWITCH' does not exist
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (nf_tables): Chain 'RB_DOCKER_VPN_KILL_SWITCH' does not exist
Try `iptables -h' or 'iptables --help' for more information.
flush-D
iptables: Bad rule (does a matching rule exist in that chain?).
iptables v1.8.7 (nf_tables): Chain 'RB_OUTPUT_VPN_KILL_SWITCH' does not exist
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (nf_tables): Chain 'RB_DOCKER_VPN_KILL_SWITCH' does not exist
Try `iptables -h' or 'iptables --help' for more information.
flush-F
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
flush-D
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.

Wherever a chain, or service, or rule doesn’t exists, for now you will see complaints that it can’t delete them – which is fine. A “flush” is a restoration of your iptables by deleting the RexBytes Chains and rules, and you may not have activated all of them. You can’t delete what doesn’t exist.

After a ‘vpnkillswitch –flush‘, your iptables will be restored to their previous state.

Fully Protected System

On a system with a running OpenVPN, and an install of Docker, you can turn on full protection with the following command.

[email protected]:~$ vpnkillswitch --on
my_args.on:True, granularity:False
Failed to disable unit: Unit file rexbytes_protect.service does not exist.
Failed to disable unit: Unit file rexbytes_vpn4killswitch.service does not exist.
Failed to disable unit: Unit file rexbytes_dockerkillswitch.service does not exist.
off-D
iptables v1.8.7 (nf_tables): Chain 'RB_RELATED_AND_ESTABLISHED' does not exist
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (nf_tables): Chain 'RB_OUTPUT_VPN_KILL_SWITCH' does not exist
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (nf_tables): Chain 'RB_DOCKER_VPN_KILL_SWITCH' does not exist
Try `iptables -h' or 'iptables --help' for more information.
flush-D
iptables v1.8.7 (nf_tables): Chain 'RB_RELATED_AND_ESTABLISHED' does not exist
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (nf_tables): Chain 'RB_OUTPUT_VPN_KILL_SWITCH' does not exist
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (nf_tables): Chain 'RB_DOCKER_VPN_KILL_SWITCH' does not exist
Try `iptables -h' or 'iptables --help' for more information.
flush-F
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
flush-D
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Creating RB_RELATED_AND_ESTABLISHED...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
Creating RB_OUTPUT_VPN_KILL_SWITCH...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
Created symlink /etc/systemd/system/network.target.wants/rexbytes_vpn4killswitch.service → /etc/systemd/system/rexbytes_vpn4killswitch.service.
Creating RB_DOCKER_VPN_KILL_SWITCH...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
Created symlink /etc/systemd/system/multi-user.target.wants/rexbytes_dockerkillswitch.service → /etc/systemd/system/rexbytes_dockerkillswitch.service.
[email protected]:~$ 

The output is there for information, you can ignore it for now, in later versions I may tidy it up.
You can check it worked by listing your iptables,

[email protected]:~# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1733 1676K RB_RELATED_AND_ESTABLISHED  all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  505 42420 DOCKER-USER  all  --  any    any     anywhere             anywhere            
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            

Chain OUTPUT (policy DROP 2 packets, 400 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1545  150K RB_OUTPUT_VPN_KILL_SWITCH  all  --  any    any     anywhere             anywhere            

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    docker0  anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RB_DOCKER_VPN_KILL_SWITCH  all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain RB_DOCKER_VPN_KILL_SWITCH (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    tun+    anywhere             anywhere            
    0     0 ACCEPT     all  --  tun+   any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain RB_OUTPUT_VPN_KILL_SWITCH (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  775 95563 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:openvpn
  768 54376 ACCEPT     all  --  any    tun+    anywhere             anywhere            
    0     0 ACCEPT     all  --  any    lo      anywhere             anywhere            
    0     0 ACCEPT     all  --  any    any     anywhere             10.0.0.0/8          

Chain RB_RELATED_AND_ESTABLISHED (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1733 1676K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED

If the above doesn’t read as easy as an email rules set, you should definitely go back and read the 3 articles recommended at the top of this post.

It is surprisingly simple.

Persistent iptable With systemd

As briefly mentioned above, ‘vpnkillswitch‘ will create systemd unit files, and also relevant scripts to be run on startup to populate your iptables.

Systemd Unit Files

vpnkillswitch‘ will create the following service files, it will also delete them when you give the appropriate commands. There is no need to edit these files directly.

systemctl enable/disable‘ is automatically run for the command switches you specify.

/etc/systemd/system/rexbytes_protect.service
/etc/systemd/system/rexbytes_dockerkillswitch.service
/etc/systemd/system/rexbytes_vpn4killswitch.service

System Bash Files

vpnkillswitch‘ will create the following associated bash scripts for each iptables chain,

/usr/local/bin/rexbytes_protect.sh
/usr/local/bin/rexbytes_dockerkillswitch.sh
/usr/local/bin/rexbytes_vpn4killswitch.sh

You should edit these under one condition, if you specify the ‘-g, –granular Creates a more granular iptables ruleset‘ option when calling ‘vpnkillswitch‘ you have the option of adding or removing port access by editing ‘rexbytes_vpnkillswitch.sh‘ and ‘rexbytes_dockerkillswitch.sh‘. For basic ports I have
lines ready in that script for you to comment or uncomment. You can then either restart your system or run the bash script directly as root.

In Action

Here is a gif of the killswitch in action.

On the left is a terminal on the system running a ping.
On the right is a docker container running a ping in a terminal.
You can see that as soon as I turn off the VPN the pings stop,
as soon as I turn on the VPN the pings restart.

The RexBytes ‘vpnkillswitch’ software works.

ENJOY!

Please remember that this software is supposed to be used on your local laptop and not on a remote server, you will lock yourself out.

Please enjoy hardening your systems, and if you have any issues please report them at the following page,

3 thoughts on “RexBytes Software: Bumper VPN Kill Switch Package”
%d bloggers like this: