VPN Manager

Script to easily manage OpenVPN and create a firewall kill switch with UFW.

It allows easy start and stop of the VPN connection and the kill switch, and easy change of the VPN server.

Current version is bounded to OpenVPN, though it is easy to make it work with other VPN as only a small subset of code is concerned. More information below.

Installation

Configuration

• Firewall (ufw)
• OpenVPN
• vpn-mgr.sh

Usage

Use another VPN provider

Installation

You need to install the following packages:

• openvpn
• ufw

Configuration

Below, we assume that your computer is connected to internet via the interface enp1s0, that the VPN interface is called tun0, and that you are on the local network 192.168.1.0/24.

If it is not the case, change the values below.

Firewall (ufw)

First, create the firewall rules:

• all incoming transfers are denied by default
• all outgoing transfers are denied by default
• all routed transfers are allowed by default (for a later update)
• create a kill switch
  • we allow traffic through enp1s0 only from and to the local network, no internet access
  • we override these rules temporarily so internet is still accessible, until we start the VPN
• allow all traffic on tun0
  • when the VPN is on, all internet traffic pass through there

As root

# global rules
ufw default deny incoming
ufw default deny outgoing
ufw default allow routed
# kill switch
ufw allow in on enp1s0 from 192.168.1.0/24
ufw allow out on enp1s0 to 192.168.1.0/24
# bypass killswitch
ufw allow in on enp1s0
ufw allow out on enp1s0
# VPN
ufw allow in on tun0
ufw allow out on tun0

Thus, when we start the VPN, we just have to delete the 2 bypassing rules and add one to authorize traffic to VPN server only. This will create a kill switch as as soon as we can't connect to the VPN server, all traffic will be stopped.

This is automatically done thanks to vpn-mgr.sh.

OpenVPN

We need to create a file with our VPN credentials, so OpenVPN can connect to VPN server by itself. Replace EMAIL and PASSWORD with your credentials.

Note that it is important that the file is created in /etc/openvpn/. If you want to change the filename, you'll have to change the variable AUTHFILE in vpn-mgr.sh.

As root

echo "EMAIL" > /etc/openvpn/nordvpn_authentication
echo "PASSWORD" >> /etc/openvpn/nordvpn_authentication
chmod a-rwx,u=r /etc/openvpn/nordvpn_authentication

You now need to copy the files etc/default/openvpn, etc/openvpn/update-resolv-conf and etc/sysctl.d/00_tun0_noipv6.conf in the proper folders (respectively /etc/default/openvpn, /etc/openvpn/update-resolv-conf and /etc/sysctl.d/00_tun0_noipv6.conf).

The first file is the configuration for OpenVPN. The only interesting line is AUTOSTART="nordvpn" which allows OpenVPN to automatically connect to a VPN server, which configuration file is in /etc/openvpn/nordvpn.conf. This file will be automatically generated by vpn-mgr.sh

The second file is used to prevent DNS leak.

The last file is to avoid ipv6 leaks as NordVPN doesn't support ipv6.

Finally, to automatically start OpenVPN on boot, we enable its service:

systemctl enable openvpn

vpn-mgr.sh

You can put the file vpn-mgr.sh wherever it is the most convenient for you. A good folder would be in /usr/local/sbin/.

You can update the following variables (at the top of the file) with your values:

• SERVERCONF_FILE='/etc/openvpn/nordvpn.conf'
• AUTHFILE='nordvpn_authentication'
• NET_INTERFACE='enp1s0'

Usage

You need to be root to use vpn-mgr.sh.

You can run vpn-mgr.sh help to see the full help. Briefly, you can invoke it with the following commands:

• help - shows the help
• start - starts the VPN and enable the kill switch
• stop - stop the VPN and disable the kill switch
• restart - restart the VPN (useful when connection to VPN server is lost)
• status - tells the status of the VPN manager
• set - change the VPN server in used

More infornation on the set command.

You can chose which server to use for NordVPN here: https://nordvpn.com/servers/tools/.

vpn-mgr.sh set se203

This will automatically use the VPN server se203.nordvpn.com. What happens exactly:

• if possible, it will download the full list of NordVPN servers from https://downloads.nordcdn.com/configs/archives/servers/ovpn.zip.
• it will copy the configuration file se203.nordvpn.com.udp.ovpn to /etc/openvpn/nordvpn.conf
  • note that we use the UDP version
• it will update the configuration file by adding
  • configuration to avoid DNS leak thanks to etc/openvpn/update-resolv-conf
  • path to credential file to autoconnect
  • name of the selected server as a comment on the last line
• update UFW rules
• restart OpenVPN and UFW

You then need to wait around 30 seconds before Internet comes back on the new server.

Use another VPN provider

This script has been created because the NordVPN app on Linux is not free (open source), and is widely bugged (lots of crashes).

This solution uses widely known tools (OpenVPN and UFW), and as far as I used it, it didn't crashed yet...

Now, if you want to use this script with another VPN provider, you only have to change the vpn-mgr.sh script a bit. Indeed, only these 2 functions are bounded to NordVPN:

• _download-serverlist which downloads all the available servers from NordVPN
• _select_server which selects a server from the aforementionned list.

These functions are 10 lines length so it should be very easy to use another provider. The main reason why it is not already here is because I only used NordVPN so far...

Feel free to contribute :)