Hi all, I’m trying to have my rpi5 running raspberry OS communicate with the Internet only through the tun0 interface (vpn). For this I wanted to create a ufw ruleset. Unfortunately, I’ve hit a roadblock and I can’t figure out where I’m going wrong.

Can you help me discover why this ruleset doesn’t allow Internet communication over tun0? When I disable ufw I can access the Internet.

The VPN connection is already established, so it should keep working, right?

I hope you can help me out!

This is the script with the ruleset: sudo ufw reset

Set default policies

sudo ufw default deny incoming

sudo ufw default deny outgoing

Allow SSH access

sudo ufw allow ssh

Allow local network traffic

sudo ufw allow from 192.168.0.0/16

sudo ufw allow out to 192.168.0.0/16

Allow traffic through VPN tunnel

sudo ufw allow in on tun0

sudo ufw allow out on tun0

Add routing between interfaces (I read its necessary, not sure why?)

sudo ufw route allow in on tun0 out on wlan0

sudo ufw route allow in on wlan0 out on tun0

sudo ufw enable

  • just_another_person@lemmy.world
    4·
    9 days ago

    ufw is a firewall. Routing controls traffic flow. You want to set the default route of that machine to only use the tun0 interface. Random link explains

    As a secondary step you can set your firewall to block any traffic trying to exit an interface I suppose, but it really shouldn’t be necessary.

    For your other services on the local network for your subnet, just add a secondary route only for your subnet that uses your router as a gateway.

    • sykaster@feddit.nlOPEnglish
      1·
      9 days ago

      That makes sense, but it’s possible that the VPN connection drops for a second, and then it can’t re-establish it, right? How would I deal with that?

      • just_another_person@lemmy.world
        1·
        9 days ago

        It wouldn’t be able to communicate with the internet, but would still be able to talk to your local network.

        If that’s not specifically what you’re trying to do, and you don’t care if traffic might go out over your regular Internet connection, then you can create a fail over type situation where it will try and use a “backup” route to communicate to the internet if needed, though you’ll need to spend some time really making it pretty smooth: https://www.baeldung.com/linux/multiple-default-gateways-outbound-connections

        • sykaster@feddit.nlOPEnglish
          1·
          9 days ago

          I guess what I’m really trying to do is make sure that whatever happens, if the vpn fails (tun0), there is no more communication with the Internet.

      • JoeyHarrington@lemmy.ca
        1·
        9 days ago

        Remove default route using physical interface

        Add route only to the IP of the VPN server

        Bring up VPN

        Add default route to traverse the tunnel

  • TauZero@mander.xyz
    2·
    9 days ago

    sudo ufw default deny outgoing

    I’m guessing this would block the VPN packets themselves as well.

    • sykaster@feddit.nlOPEnglish
      11·
      9 days ago

      It does, but later I have the rules to counteract those, for the VPN specifically: sudo ufw allow in on tun0 sudo ufw allow out on tun0

      So that would open that up again, or am I wrong?

      • TauZero@mander.xyz
        2·
        9 days ago

        That allows sending packets inside the VPN tunnel, but the outer envelope packets still need to be able to reach the VPN server.

        • sykaster@feddit.nlOPEnglish
          1·
          9 days ago

          I see, but then how would I disable everything else? Should I not use the default rules?

  • oshu@lemmy.world
    2·
    9 days ago

    If your concern is ensuring a killswitch type vpn setup, I do that but in a different and simple way.

    I have a GLinet microrouter configured to join the vpn and active killswitch mode. This is 2 clicks in the menu. I connect it to my network via its wan port.

    Everything I want behind the VPN gets connected to the microrouter lan port and job done.

    • sykaster@feddit.nlOPEnglish
      1·
      8 days ago

      Interesting! I’m new to this, this is really valuable! What made you choose this approach?

      • oshu@lemmy.world
        1·
        8 days ago

        Its simple and I can easily put a laptop or phone or whatever behind the microrouter and have confidence its only using the vpn.

        When I travel I take a second microrouter with me to connect to the hotel wifi. All my devices are set to use the microrouter wifi so they never touch the hotel network, only the vpn. Easy, private, and avoids any filtering the hotek is doing.

        • sykaster@feddit.nlOPEnglish
          1·
          8 days ago

          Cool! And you can easily control the mini router from your devices so that it connects to the hotel WiFi or whatever network you want?