Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

Circuit Breaker

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
MOQ888
Posts: 50
Joined: Sun Apr 02, 2017 6:31 pm

Circuit Breaker

Post by MOQ888 » Sat Mar 02, 2019 8:29 am

A while back PB (I think) mentioned setting up *nix with some kind of circuit breaker (?) to kill all traffic if the VPN dropped out. I'm very interested in implementing this. I've tried searching "VPN circuit breaker" but I suspect my terminology is wrong.

Is there a resource our some pointers I can look at so I can incorporate this function into my Kubuntu 18.x setup using NM? If this function can't work with NM that's fine, I'd be happier to have such a mechanism than the convenience of NM.


Topic Author
MOQ888
Posts: 50
Joined: Sun Apr 02, 2017 6:31 pm

Re: Circuit Breaker

Post by MOQ888 » Sat Mar 02, 2019 4:16 pm

don't worry, I have since discovered this is called a Kill Switch and DF has already posted an example.


Topic Author
MOQ888
Posts: 50
Joined: Sun Apr 02, 2017 6:31 pm

Re: Kill Switch

Post by MOQ888 » Mon May 13, 2019 5:32 pm

Today I discovered there is actually a Kill Switch section on the website!

I'm looking at scenario #3, and in the section where I need to make adjustments to the .ovpn file it suggests adding

up /usr/local/bin/killswitch_system_lan_up.sh
down /usr/local/bin/killswitch_system_lan_up.sh
script-security 2

to the file.

So I opened one of the ovpn files and down the bottom mine has the following:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Do I # comment these out and append the suggested lines to the end?

Presumably once the .ovpn files have been modified I have to remove all and set up again in NM?

User avatar

df
Site Admin
Posts: 404
Joined: Thu Jan 01, 1970 5:00 am

Re: Circuit Breaker

Post by df » Mon May 13, 2019 6:22 pm

Yea, comment out or remove those existing lines. The killswitch script does it's own DNS leak protection, so using the update-resolv-conf script isn't necessary.
And yes, you would have to remove the config from NM and set it up again for NM to see the changes.


Topic Author
MOQ888
Posts: 50
Joined: Sun Apr 02, 2017 6:31 pm

Re: Circuit Breaker

Post by MOQ888 » Tue May 14, 2019 3:45 am

Tks DF!


Topic Author
MOQ888
Posts: 50
Joined: Sun Apr 02, 2017 6:31 pm

Re: Circuit Breaker

Post by MOQ888 » Wed May 15, 2019 4:19 pm

OK, I modified one .ovpn config with the up and down script references and it connects fine. I was curious if I could ping 8.8.8.8 through my LAN IF if I manually disconnected the VPN and it does.

So I deleted that one in NM and commented out the down line in the .ovpn cfg, and recreated it. Connected OK, but after disconnecting it was still able to ping 8.8.8.8

Is this correct behaviour, and how can I test the Kill Switch is working without sitting here for hours watching if NM drops the VPN connection?

User avatar

df
Site Admin
Posts: 404
Joined: Thu Jan 01, 1970 5:00 am

Re: Circuit Breaker

Post by df » Wed May 15, 2019 4:24 pm

That scenario #3 kill switch will remove the kill switch if OpenVPN exits "cleanly" (like it does via NM).
You can test it by killing openvpn with `killall -9 openvpn` then trying to ping 8.8.8.8

It should also stay active if you keep the --up part but remove the --down part, but I haven't tested with NM. It's possible that NM is changing something in the config before or after it gets loaded, which is often the case with most OpenVPN GUIs.
Try it out using openvpn at the terminal instead. If that works, then verify that the config NM is actually using still has those --up/--down lines (I think NM stores configs somewhere in /etc/NetworkManager).
Also, don't forget to include a --script-security 2 in your config, otherwise the --up/--down scripts won't run.


Topic Author
MOQ888
Posts: 50
Joined: Sun Apr 02, 2017 6:31 pm

Re: Circuit Breaker

Post by MOQ888 » Wed May 15, 2019 4:38 pm

Tks DF. There must be something in NM, I did the killall and it can still ping 8.8.8.8. The script-security 2 was included but AFTER the up/down lines as per the CS website instructions, whereas it was before the up/down lines in the standard cfg. Would that make a difference?

I'll try connecting via the terminal over the next few days and give it another test.

User avatar

df
Site Admin
Posts: 404
Joined: Thu Jan 01, 1970 5:00 am

Re: Circuit Breaker

Post by df » Wed May 15, 2019 4:43 pm

It doesn't matter whether the script-security line is before or after up/down.
Only other thing I can think of is that there's more than one up/down line, that would also cause the killswitch not to run (like if your config is still using the old update-resolv-conf thing for DNS leak prevention).


Topic Author
MOQ888
Posts: 50
Joined: Sun Apr 02, 2017 6:31 pm

Re: Circuit Breaker

Post by MOQ888 » Wed May 15, 2019 5:01 pm

I'll check the config again, those up/down lines were at the end of the std configs but it won't hurt to check.

Is there a way I can check the update-resolv-config after I disconnect the VPN to see what it's doing? This is what iptables -L gave me while I'm connected now

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

User avatar

df
Site Admin
Posts: 404
Joined: Thu Jan 01, 1970 5:00 am

Re: Circuit Breaker

Post by df » Wed May 15, 2019 5:06 pm

just do a `grep ^up whatever.ovpn` to check the up lines in the config.
The update-resolv-conf script doesn't use iptables, it updates /etc/resolv.conf
But killswitch does use iptables for DNS leak protection.
You can check if those rules are still there with `iptables -L -n -t nat`
But if they were still there, DNS would fail when trying to connect.


Topic Author
MOQ888
Posts: 50
Joined: Sun Apr 02, 2017 6:31 pm

Re: Circuit Breaker

Post by MOQ888 » Wed May 15, 2019 5:18 pm

the grep command correctly identified the line KS_lan_up.sh (I renamed it) in the /usr/local/bin folder

root@e8100-i7:/usr/local/bin# ls -l
total 1696
-rwxr-xr-x 1 root root 1970 May 15 21:01 KS_lan_up.sh

it looks executable to me so I thought it "should" run for non-root login

the iptables command -
root@e8100-i7:/home/sysadmin/Documents/CS/RSAconfigs# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Earlier I used one of the other VPN connections that has the up/down update-resolv-config in the standard config, would this impact this kill switch modified config, should I try all this again after a restart tomorrow?


Topic Author
MOQ888
Posts: 50
Joined: Sun Apr 02, 2017 6:31 pm

Re: Circuit Breaker

Post by MOQ888 » Wed May 15, 2019 5:24 pm

I'll try using the terminal to connect later this week, maybe it's just NM. If that works I'll move away from the RSA configs.

Post Reply