I've setup OpenVPN to run on a second fib on boot. If OpenVPN goes down on this fib, I want to be sure that applications running on that fib do not leak traffic to the outside world.
When connected to uk-london.privateinternetaccess.com, PIA assigns the VPN IP from a pool, so to allow for the IP to get assigned on boot, I allow fib1 access to the public internet facing wlan0 interface initially:
/etc/rc.conf
The reason I don't pass a static IP here is that wlan0 gets a DHCP IP from my home router.
It concerns me that I need to expose fib1 to unencrypted internet even for a short while, but it seems necessary to get the VPN IP assigned from PIA.
To make sure all further traffic is sent encrypted over the tun, I don't let OpenVPN set the default route:
/usr/local/etc/openvpnv/openvpn.conf
Instead, I call a script from OpenVPN to set the default route manually based on the tun IP:
/usr/local/etc/openvpn/link-up.sh
To prevent DNS leaks, my /etc/resolv.conf connects to a dnscrypt server without logs. I run applications with e.g.,
Is this setup safe? If the OpenVPN connection drops, my understanding is that the default route to the tunnel device for fib1 will go down. Therefore, no applications running through fib1 will have a route to the public facing wlan0, so no unencrypted traffic will leak. Is that understanding correct? Or do I need some firewall rules to strengthen this?
Thanks for reading.
When connected to uk-london.privateinternetaccess.com, PIA assigns the VPN IP from a pool, so to allow for the IP to get assigned on boot, I allow fib1 access to the public internet facing wlan0 interface initially:
/etc/rc.conf
Code:
static_routes="vpn"
route_vpn="default -iface wlan0 -fib 1"
The reason I don't pass a static IP here is that wlan0 gets a DHCP IP from my home router.
It concerns me that I need to expose fib1 to unencrypted internet even for a short while, but it seems necessary to get the VPN IP assigned from PIA.
To make sure all further traffic is sent encrypted over the tun, I don't let OpenVPN set the default route:
/usr/local/etc/openvpnv/openvpn.conf
Code:
route-noexec
Instead, I call a script from OpenVPN to set the default route manually based on the tun IP:
Code:
script-security 2
up "/usr/local/etc/openvpn/link-up.sh tun0"
/usr/local/etc/openvpn/link-up.sh
Code:
#!/bin/sh
IP=`/sbin/ifconfig $1 | grep "inet " | cut -d" " -f4`
echo "LINK-UP - SETTING AS DEFAULT GATEWAY FOR ROUTING TABLE 1: $IP"
/usr/sbin/setfib -1 /sbin/route delete default
/usr/sbin/setfib -1 /sbin/route add default $IP
To prevent DNS leaks, my /etc/resolv.conf connects to a dnscrypt server without logs. I run applications with e.g.,
setfib -1 application
, or through a jail with the default fib set to 1.Is this setup safe? If the OpenVPN connection drops, my understanding is that the default route to the tunnel device for fib1 will go down. Therefore, no applications running through fib1 will have a route to the public facing wlan0, so no unencrypted traffic will leak. Is that understanding correct? Or do I need some firewall rules to strengthen this?
Thanks for reading.