2

I'm trying to setup a kill switch so that if OpenVPN becomes inactive all other connections will be blocked. I tried to adapt this Linux set up, but it doesn't seem to work on FreeBSD.

This is my openvpn.config

group openvpn
dev tun
remote url.xxx.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
verb 3
explicit-exit-notify 5
rcvbuf 262144
sndbuf 262144
push-peer-info
setenv UV_IPV6 yes
ca ".../keys/ca.crt"
cert ".../keys/user.crt"
key ".../keys/user.key"
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
tls-auth ".../keys/ta.key" 1

and this is my ipfw config script:

#!/bin/bash
ipfw -q -f flush
cmd="ipfw -q add"
$cmd 00001 allow all from any to any via lo0
$cmd 00010 allow all from any to any via tun0 # the vpn interface
$cmd 00101 allow all from me to 192.168.0.0/16
$cmd 00102 allow all from 192.168.0.0/16 to me
$cmd 00103 allow all from any to any gid openvpn 
$cmd 00104 allow all from any to any established
$cmd 00110 allow tcp from any to any dst-port 53 out setup keep-state
$cmd 00111 allow udp from any to any dst-port 53 out keep-state
$cmd 00201 deny all from any to any

Unfortunately, OpenVPN can't establish a connection with this configuration:

Mon Jul 20 22:13:17 2020 WARNING: file '/opt/openvpn/keys/user.key' is group or others accessible
Mon Jul 20 22:13:17 2020 WARNING: file '/opt/openvpn/keys/ta.key' is group or others accessible
Mon Jul 20 22:13:17 2020 OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 12 2020
Mon Jul 20 22:13:17 2020 library versions: OpenSSL 1.0.2u-freebsd  20 Dec 2019, LZO 2.10
Mon Jul 20 22:13:17 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 20 22:13:17 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 20 22:13:17 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.221.34:443
Mon Jul 20 22:13:17 2020 Socket Buffers: R=[42080->262144] S=[9216->262144]
Mon Jul 20 22:13:17 2020 UDP link local: (not bound)
Mon Jul 20 22:13:17 2020 UDP link remote: [AF_INET]184.75.221.34:443
Mon Jul 20 22:13:17 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mon Jul 20 22:13:17 2020 write UDP: Permission denied (code=13)
Mon Jul 20 22:13:19 2020 write UDP: Permission denied (code=13)

Looks like that in freebsd openvpn wants to start as root/wheel no matter what ad it will downgrade to a custom group only once the first connection has been successfully established. Is there a way around that?

I also tried to configure ipfw to allow any connection to/from url.xxx.com but ipfw doesn't seem to support urls.

Did anyone successfully set up a killswitch on FreeBSD?

Improve this question
1
  • I followed this guide with apparent success. It is similar to yours, but narrows the filter to the transmission uid and doesn't include the DNS filter. Commented Nov 27, 2020 at 16:41

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.