From ArchWiki
Jump to navigation Jump to search

My configuration notes for openvpn.

iptables killswitch

Based on user

Pick a user to be confined to the openvpn tun device.

Modify <user> and <tun> to suite.
# iptables -A OUTPUT ! -o <tun> -m owner --gid-owner <user> -j REJECT --reject-with icmp-port-unreachable

Should create:

# iptables -nvL
0  0 REJECT     all  --  *      !tun0              owner GID match 111 reject-with icmp-port-unreachable

Don't forget to save the iptables config for persistence across reboots.

Based on cgroup



Based on user

So, this is a little convoluted. Openvpn in my configuration is set to trap all network traffic, and send it over the tun device.

Create a routing table

# echo 11 novpn >> /etc/iproute2/rt_tables

Configure static route

That routing table will persist across reboots, but it's configuration won't. There's got to be a smarter way to do this, but I wound up making a custom systemd service based on the forum post in the reference section.

# cat /etc/systemd/system/iproute2@.service
Description=iproute2 (%i)

ExecStart=/usr/bin/ip -b /etc/conf.d/iproute2/%i/start ; /usr/bin/sysctl -w net.ipv4.conf.eth0.rp_filter=2
ExecStop=/usr/bin/ip -b /etc/conf.d/iproute2/%i/stop ; /usr/bin/sysctl -w net.ipv4.conf.eth0.rp_filter=1

# cat /etc/conf.d/iproute2/eth0/start
route add default via table 11
rule add fwmark 0xa table 11
# cat /etc/conf.d/iproute2/eth0/stop
route del default via table 11
rule del fwmark 0xa table 11

Set up iptables

Replace <user> and <mk>
# iptables -t mangle -A OUTPUT -m owner --uid-owner <user> -j MARK --set-mark <mk>

That should do it. Any application owned by this user will now operate on the regular device instead of over the openvpn tunnel.

Reference # General information about how openvpn overrides the default route. # Resource on configuring iptables # Discussion for iproute2@.service

Based on cgroup