Linux Desktop Firewall and VPN

Posted: 2017-04-29 22:06:05 by Alasdair Keyes

Direct Link | RSS feed


I use Linux Mint as my OS on my Laptop as well as OpenVPN for all external traffic.

The Ubuntu/Mint Network manager can be instructed to connect to a VPN when the network is started up, which is great for privacy however there are three instances I've noticed when this falls short.

There have been a few instances where these have occurred and it meant I was sending out traffic insecurely until I noticed.

To combat this I set UFW to automatically reject all packets on the OUTPUT chain. This means my laptop is unable to send any packets over any network device (as long as the firewall is running. I then updated my UFW firewall with the following rules into /etc/ufw/user.rules to allow outbound connections for specific devices etc.

# Allow LXC containers to send traffic out on the LXC bridge
-A ufw-user-output -o lxcbr0 -j ACCEPT
# Allow LXC containers to send traffic onto their virtual ethernet device
-A ufw-user-output -o veth+ -j ACCEPT

### Allow traffic out through the OpenVPN tun0 interface
-A ufw-user-output -o tun0 -j ACCEPT

### Allow traffic to my VPN host
-A ufw-user-output -o wlp8s0 -p tcp --dport 1194 -d 9.8.7.6 -j ACCEPT

### Allow traffic out to my local networks
-A ufw-user-output -d 192.168.0.0/24 -j ACCEPT

### Allow traffic out to virtualbox network devices 
-A ufw-user-output -o vboxnet+ -j ACCEPT

Additional rules will be required into your /etc/ufw/user6.rules.

Now if VPN doesn't connect or drops out unexpectedly, I lose connectivity but I won't be sending out unsecured traffic and I can just reconnect.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

© Alasdair Keyes

IT Consultancy Services

I'm now available for IT consultancy and software development services - Cloudee LTD.



Happy user of Digital Ocean (Affiliate link)


Version:master-28fc6e6b4b


Validate HTML 5