OpenVPN, iptables, group, killswitch

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
ziomalxmpc
OpenVpn Newbie
Posts: 1
Joined: Sun Oct 23, 2022 10:00 am

OpenVPN, iptables, group, killswitch

Post by ziomalxmpc » Sun Oct 23, 2022 10:54 am

I have a little problem, so I have a question.. :)

I want to make killswitch, but with rules that accepts ONLY on set ports and destination/source ip and (it's very important for me) ONLY for group (openvpngroup).

That's working for me only if i don't add '--gid-owner'. Is there any way to run openvpn as a group? For example 100.100.100.100 is IP of server.

Code: Select all

    sudo iptables --flush
    sudo iptables --delete-chain
    sudo iptables -t nat --flush
    sudo iptables -t nat --delete-chain
    sudo iptables -P INPUT DROP
    sudo iptables -P FORWARD DROP
    sudo iptables -P OUTPUT DROP
    sudo iptables -A OUTPUT -j ACCEPT -o lo
    sudo iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT -o enp4s0
    
    sudo iptables -A OUTPUT -d 100.100.100.100 -o enp4s0 -p tcp -m owner --gid-owner openvpngroup --dport 443 -j ACCEPT
    sudo iptables -A INPUT -s 100.100.100.100 -i enp4s0 -p tcp -m owner --gid-owner openvpngroup --dport 443 -j ACCEPT
    sudo iptables -A INPUT  -i tun0 -j ACCEPT
    sudo iptables -A OUTPUT -o tun0 -j ACCEPT
And if i run this without "-m owner --gid-owner openvpngroup" everything is working. But if I kill openvpn process i still can make connection (telnet) to that ip on that port. I want that if i kill openvpn opened by group (openvpngroup) i wouldn't make any connection.

Run openvpn:

Code: Select all

    sudo openvpn --group openvpngroup --daemon --config "$VPNFOLDER/$ovpn" --auth-user-pass "$PASSWORDFILE"

Post Reply