fixed shared VPN/Tor server leak bug (#12)

use ip(6)tables --wait made ip(6)tables commands configurable RELATED,ESTABLISHED -> ESTABLISHED for better security (fixes #9) ported from sysvinit to (systemd) netfilter-persistent also source configuration folder /rw/config/vpn-firewall.d/*.conf Debian packaging licensing refactoring comments
adrelanos · May 11, 2016 · f5a0d06 · f5a0d06
1 parent 23f1a30
commit f5a0d06
Show file tree

Hide file tree

Showing 16 changed files with 473 additions and 483 deletions.
diff --git a/README.md b/README.md
@@ -5,16 +5,18 @@ It's much safer when it fails closed, i.e. when the VPN connection breaks down,
 
 # What does it do
 
-* Forbid outgoing traffic after the VPN software broke down for some reason.
+* Forbid outgoing traffic after the VPN / tunnel software broke down for some reason.
 * Tight firewall rules, using iptables policy drop.
-* Only tested with OpenVPN. Should work with other VPN clients such as PPTP in theory, you should test if it does what it claims anyway.
-* Only tested on Debian Wheezy. Should work in many Linux distribution in theory, you should test if it does what it claims.
+* Defeat [shared VPN/Tor server leak bug](https://github.com/adrelanos/vpn-firewall/issues/12)
+* Only tested with OpenVPN. Should work with other VPN and tunnel clients such as PPTP in theory, you should test if it does what it claims anyway.
+* Only tested on Debian Jessie. Should work in many Linux distribution supporting netfilter-persistent in theory, you should test if it does what it claims.
 * Open Source / Free Software
 
 # What does it NOT do
 
 * Care about DNS leaks. Consult your VPN software's/provider's documentation and
 configure /etc/resolv.conf to use the DNS server of your VPN server.
+* Block WebRTC leaks.
 * Defend against
 [IP leaks](https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea).
 If a locally installed application uses trickery to obtain the the users real
@@ -23,10 +25,7 @@ IP and sends it somewhere though the VPN.
 manipulate the firewall rules.
 * Prevent any other kind trickery to circumvent using the VPN.
 * Prevent leaks caused by bugs in the VPN software.
-* Be compatible with Whonix-Gateway. (VPN-Firewall is incompatible with Whonix-Gateway's firewall!)
-* Run the VPN software as unprivileged user. For OpenVPN see
-[OpenVPN wiki UnprivilegedUser](https://community.openvpn.net/openvpn/wiki/
-UnprivilegedUser).
+* Be compatible with Whonix-Gateway/Workstation. (VPN-Firewall is incompatible with Whonix-Gateway/Workstation's firewall! Use Whonix documentation and use their built-in features.)
 * Manage IPv6 traffic. IPv6 traffic is blocked.
 * Install (Open)VPN.
 * Configure (Open)VPN.
@@ -35,108 +34,10 @@ UnprivilegedUser).
 * Untested to work in Qubes ProxyVMs. (They have a different way to up networking and firewall.)
 
 # How to Use
-1) First learn how to get your VPN software connected without using VPN-Firewall.
 
-Use the IP to connect to your VPN server, not the hostname!
+See:
 
-2) Remove old versions of VPN-Firewall.
-
-    sudo update-rc.d vpnfirewall remove
-    sudo rm /usr/local/bin/vpnfirewall
-    sudo rm /usr/bin/vpnfirewall
-    sudo rm /etc/init.d/vpnfirewall
-
-3) Get the firewall script and install it.
-
-    cd ~
-
-    git clone https://github.com/adrelanos/VPN-Firewall.git
-
-    cd VPN-Firewall
-
-    sudo cp ./usr/bin/vpnfirewall /usr/bin/
-
-4) Edit the /usr/bin/vpnfirewall settings with your favorite editor.
-
-Note, that you must use the IP of your VPN server, not the hostname.
-
-5) Load /usr/bin/vpnfirewall before the network and before OpenVPN goes up.
-
-* If you are NOT permanently using (Open)VPN, i.e. if you only occasionally, manually connect to the VPN.
-
-Just run the following command before starting OpenVPN.
-
-    sudo /usr/bin/vpnfirewall
-
-Should reply:
-
-    OK: Loading VPN firewall...
-    OK: The firewall should not show any messages,
-    OK: besides output beginning with prefix OK:...
-    OK: VPN firewall loaded.
-
-* If you are permanently using (Open)VPN, i.e. always want to use the VPN.
-
-Install the init script.
-
-    sudo cp ./etc/init.d/vpnfirewall /etc/init.d/
-
-    sudo update-rc.d vpnfirewall defaults
-
-Test the init script.
-
-    sudo service vpnfirewall restart
-
-    sudo service vpnfirewall status
-
-    echo $?
-
-Should reply:
-
-    0
-
-Reboot.
-
-Check VPN Firewall status again.
-
-    sudo service vpnfirewall status
-
-Should reply:
-
-    0
-
-6) How to unload VPN Firewall?
-
-If you want to disable VPN Firewall, see:
-https://gist.github.com/adrelanos/10565852
-
-# How to Test
-
-1) Install.
-
-2) Test if it works. Check whatismyipaddress.com if you your external IP is from the VPN.
-
-3) Kill the VPN client.
-
-Example OpenVPN:
-
-    sudo killall openvpn
-
-4) Check if you can still connect to whatismyipaddress.com.
-
-If yes, bad, something is wrong.
-
-If no, good, you won't connect to any remote servers besides the VPN IP once the VPN client broke down.
-
-# How to Debug
-
-Developers only.
-
-Enable debugging. Uncomment "set -x" in all scripts.
-
-Check iptables logs.
-
-    tail -f /var/log/syslog
+https://www.whonix.org/wiki/VPN-Firewall#How_to_use_VPN-Firewall
 
 # Alternatives
 

diff --git a/changelog.upstream b/changelog.upstream
@@ -1,3 +1,84 @@
+commit 23f1a3046cd81ebcc714fe5c9e69e0ffa090f09c
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Tue Jan 26 19:46:36 2016 +0100
+
+    updated readme
+
+    Conflicts:
+    	README.md
+
+commit 12a9a7baacb3cf6be456ae0c769ce382462db6c1
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Jan 20 19:31:29 2016 +0100
+
+    etc/vpn-firewall.d/30_default -> etc/vpn-firewall.d/30_default.conf
+
+commit 5d0c2a1bac3e90d4fb3bbedfe34e6adf4d4b6def
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Jan 20 19:30:59 2016 +0100
+
+    source only configuration files ending with .conf
+
+commit 619cbc3d97da1ef8b89d8d1b7fced3087585a27f
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Mon Feb 9 13:59:32 2015 +0000
+
+    comment
+
+commit c4f9fc1eb7efcf1dcb9c8b2592247a17398a398e
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Mon Feb 9 13:48:47 2015 +0000
+
+    added man page
+
+commit 644d69af42dd9fd114e29d53d04495cb23dcf1f2
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Mon Feb 9 13:46:03 2015 +0000
+
+    update
+
+commit 4a6921ca34d1c3f5cf151cd4f391e882386e14cf
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Mon Feb 9 13:45:22 2015 +0000
+
+    renamed:    etc/vpn_firewall.d/30_default -> etc/vpn-firewall.d/30_default
+
+commit f51763f36baba7ce935bc84fffe263f0b75e84bc
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Mon Feb 9 13:44:13 2015 +0000
+
+    renamed:    usr/bin/vpnfirewall -> usr/bin/vpn-firewall
+
+commit 044e193c9c7cc03fbab854963e95e49a5c6349aa
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Mon Feb 9 13:42:30 2015 +0000
+
+    init script: provide itself to fix lintian warning
+
+commit 98b3b7ed88622f9411dbb47f425eab251c5750ef
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Mon Feb 9 13:41:00 2015 +0000
+
+    fixed lintian warning in machine readable copyright file
+
+commit f36bedc0caad0ab7c89046ac70e37cc630c6a1ee
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Mon Feb 9 13:39:14 2015 +0000
+
+    fixed debian/changelog
+
+commit c27d7bdfbff37ccb32fd048b0a6e84c22317ea4f
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Mon Feb 9 13:35:00 2015 +0000
+
+    updated debian/rules
+
+commit 215f5223fe3609052772fccfbe77c08eeccb38f4
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Mon Feb 9 13:34:25 2015 +0000
+
+    added upstream changelog
+
 commit bdab55e8d273d62d3f63569fc0487916f26c3432
 Author: Patrick Schleizer <adrelanos@riseup.net>
 Date:   Mon Feb 9 13:34:04 2015 +0000

diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,9 @@
+vpn-firewall (3:0.3-1) unstable; urgency=medium
+
+  * New upstream version.
+
+ -- Patrick Schleizer <adrelanos@riseup.net>  Wed, 11 May 2016 17:39:42 +0200
+
 vpn-firewall (3:0.2-1) unstable; urgency=low
 
   * New upstream version.

diff --git a/debian/control b/debian/control
@@ -9,11 +9,11 @@ Build-Depends: debhelper (>= 8), faketime, git
 Homepage: https://github.com/adrelanos/VPN-Firewall
 Vcs-Browser: https://github.com/adrelanos/VPN-Firewall
 Vcs-Git: https://github.com/adrelanos/VPN-Firewall.git
-Standards-Version: 3.9.4
+Standards-Version: 3.9.6
 
 Package: vpn-firewall
 Architecture: all
-Depends: ${misc:Depends}
+Depends: netfilter-persistent, ${misc:Depends}
 Description: Ensures no traffic is send, once OpenVPN breaks down for some reason
  If you simply add a VPN using common instructions, it generally fails open.
  That means, if the VPN breaks down, because the connection is interrupted,

diff --git a/debian/rules b/debian/rules
@@ -9,7 +9,6 @@
 	dh $@
 
 override_dh_install:
-	dh_installinit --onlyscripts
 	$(CURDIR)/make-helper.bsh manpages
 	dh_installman $(CURDIR)/debian/tmp-man/*
 

diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
@@ -0,0 +1,2 @@
+## https://phabricator.whonix.org/T277
+debian-watch-may-check-gpg-signature
diff --git a/debian/vpn-firewall.postinst b/debian/vpn-firewall.postinst
@@ -0,0 +1,78 @@
+#!/bin/bash
+
+## This file is part of Whonix.
+## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+if [ -f /usr/lib/pre.bsh ]; then
+   source /usr/lib/pre.bsh
+fi
+
+set -e
+
+true "
+#####################################################################
+## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ${1+"$@"}
+#####################################################################
+"
+
+case "$1" in
+   configure)
+      true "INFO: Configuring $DPKG_MAINTSCRIPT_PACKAGE..."
+
+      user_account_list="tunnel"
+
+      for user_account in $user_account_list ; do
+         ret="0"
+         id "$user_account" || { ret="$?" ; true; };
+
+         if [ "$ret" = "0" ]; then
+            echo "INFO: Not creating user '$user_account', because it already exists."
+         else
+            echo "INFO: Creating user '$user_account'..."
+            if command -v qubesdb-read >/dev/null 2>&1 ; then
+               ## Qubes-Whonix
+               ## Qubes does by upstream default not use linux user account passwords.
+               password=""
+            else
+               ## Non-Qubes-Whonix
+               ## setting password of user $user_account to changeme
+               ##
+               ## How this password was created:
+               ## sudo apt-get install whois
+               ## mkpasswd
+               ## changeme
+               ## Resulted in: aTayYxVyw5kDo
+               password="aTayYxVyw5kDo"
+            fi
+            useradd --create-home --password "$password" --user-group --shell /bin/bash "$user_account"
+         fi
+      done
+
+      true "INFO: End configuring $DPKG_MAINTSCRIPT_PACKAGE."
+
+      ;;
+
+   *)
+      ;;
+esac
+
+if [ -d /run/systemd/system ] ; then
+   systemd-tmpfiles --create /usr/lib/tmpfiles.d/50_openvpn-unpriv.conf >/dev/null || true
+   systemctl --system daemon-reload >/dev/null || true
+fi
+
+true "INFO: debhelper beginning here."
+
+#DEBHELPER#
+
+true "INFO: Done with debhelper."
+
+true "
+#####################################################################
+## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ${1+"$@"}
+#####################################################################
+"
+
+## Explicitly "exit 0", so eventually trapped errors can be ignored.
+exit 0