0

I have a VPN (IKEv2) set up on a Debian VM. I'm trying create a kill switch to stop all traffic when the VPN goes down. I've followed the guidance of this post.

It seems to work fairly well (torrent traffic is directed through the VPN and is halted when the VPN goes down), but the firewall is blocking web traffic even when the VPN is up.

Here is my firewall config:

sudo ufw reset
sudo ufw allow in from 192.168.0.0/24 
sudo ufw allow out to 192.168.0.0/24 
sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw allow out to 184.75.213.194 port 500 proto udp
sudo ufw allow out to 184.75.213.194 port 4500 proto udp
sudo ufw allow out on tun0 from any to any
sudo ufw allow in on tun0 from any to any

Here is some connection info:

 > ip addr | grep inet
 inet 127.0.0.1/8 scope host lo
 inet 192.168.0.30/24 brd 192.168.0.255 scope global dynamic noprefixroute enp0s3
 inet 10.128.1.99/32 scope global enp0s3
 inet6 fe80::a00:27ff:fe68:3414/64 scope link noprefixroute 
 inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0

> ip r
default via 192.168.0.1 dev enp0s3 proto dhcp metric 100 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 
10.128.1.99 dev enp0s3 proto kernel scope link src 10.128.1.99 metric 50 
10.128.1.99 dev enp0s3 proto kernel scope link src 10.128.1.99 metric 100 
169.254.0.0/16 dev enp0s3 scope link metric 1000 
192.168.0.0/24 dev enp0s3 proto kernel scope link src 192.168.0.30 metric 100 

> cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.128.0.1
nameserver 192.168.0.1
nameserver 1.1.1.1
search Home

> ip ru
0:  from all lookup local 
220:    from all lookup 220 
32766:  from all lookup main 
32767:  from all lookup default 

> resolvectl
Failed to get global data: Unit dbus-org.freedesktop.resolve1.service not found.

> sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       192.168.0.0/24            
Anywhere on tun0           ALLOW       Anywhere                  

192.168.0.0/24             ALLOW OUT   Anywhere                  
184.75.213.194 500/udp     ALLOW OUT   Anywhere                  
184.75.213.194 4500/udp    ALLOW OUT   Anywhere                  
Anywhere                   ALLOW OUT   Anywhere on tun0

Any help would be greatly appreciated!

Improve this question
8
  • Please add the output of ip r, the content of /etc/resolv.conf, and maybe also the output of ip ru and resolvectl, to your question.
    – Tom Yan
    Commented May 7, 2022 at 20:55
  • Added all 4. @TomYan
    – furnaceX
    Commented May 7, 2022 at 21:08
  • Also the output of ufw status
    – mashuptwice
    Commented May 7, 2022 at 22:35
  • @mashuptwice added!
    – furnaceX
    Commented May 7, 2022 at 22:58
  • @furnaceX your default route is over 192.168.0.1 instead of your tunnel. You need to create a default route with your VPNs ip instead to have the traffic routed thru it. Keep in mind that any web traffic like logging in to your gmail account could deanonymize you.
    – mashuptwice
    Commented May 7, 2022 at 23:23

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .