OpenVPN, iptables, group, killswitch
Posted: Sun Oct 23, 2022 10:54 am
I have a little problem, so I have a question..
I want to make killswitch, but with rules that accepts ONLY on set ports and destination/source ip and (it's very important for me) ONLY for group (openvpngroup).
That's working for me only if i don't add '--gid-owner'. Is there any way to run openvpn as a group? For example 100.100.100.100 is IP of server.
And if i run this without "-m owner --gid-owner openvpngroup" everything is working. But if I kill openvpn process i still can make connection (telnet) to that ip on that port. I want that if i kill openvpn opened by group (openvpngroup) i wouldn't make any connection.
Run openvpn:
I want to make killswitch, but with rules that accepts ONLY on set ports and destination/source ip and (it's very important for me) ONLY for group (openvpngroup).
That's working for me only if i don't add '--gid-owner'. Is there any way to run openvpn as a group? For example 100.100.100.100 is IP of server.
Code: Select all
sudo iptables --flush
sudo iptables --delete-chain
sudo iptables -t nat --flush
sudo iptables -t nat --delete-chain
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP
sudo iptables -A OUTPUT -j ACCEPT -o lo
sudo iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT -o enp4s0
sudo iptables -A OUTPUT -d 100.100.100.100 -o enp4s0 -p tcp -m owner --gid-owner openvpngroup --dport 443 -j ACCEPT
sudo iptables -A INPUT -s 100.100.100.100 -i enp4s0 -p tcp -m owner --gid-owner openvpngroup --dport 443 -j ACCEPT
sudo iptables -A INPUT -i tun0 -j ACCEPT
sudo iptables -A OUTPUT -o tun0 -j ACCEPT
Run openvpn:
Code: Select all
sudo openvpn --group openvpngroup --daemon --config "$VPNFOLDER/$ovpn" --auth-user-pass "$PASSWORDFILE"