Achieving an 100% airtight dynamic IP VPN + killswitch while on the go

For months now I’ve been on and off trying to set up a system on my laptop such that I can go anywhere and connect to wifi with 0 leaks, 0 tampering, and only through VPN. Turns out it’s hard.

The best idea I’ve come up with is to use virtualziation:

  • disable the network cards in your current/host OS, and also disable TCP/IP on them in case someone like Windows tries to enable them back.
  • set up a Virtualbox OS (some kind of Linux) to which you send all your network cards.
  • use that OS as a firewall + VPN + vpn killswitch
  • route that OS’s internet connection back to your Host OS.

Previously I tried PFSense and OPNSense but those are designed to be installed on a physical machine that acts as a router, and won’t accept (or won’t support drivers for) wifi as their network access input and have no interface for access credentials, wifi network picking etc.

Now I use Debian and its VPN capabilities + ufw firewall.
I would write a guide on how to set this up but there are 2 problems:

  • most VPNs you connect to use a DNS name and not an IP (if they had just one static ip then most providers/services etc would block them) More here on the ways that’s a problem:
  • the rigging of automatically connecting to a VPN when you connect to a network is hit and miss. In my case it gets stuck in a loop of trying to (re)connect and failing, until I click on the GUI button to stop the network adapter, then click again to start it. Not reliable enough to run the VM in headless mode, or to ensure an auto connect after a restart/power failure etc.

So now that you hopefully understand what I’m trying to achieve, maybe someone else can help me/us with setting up some kind of linux that can act as a proper firewall + killswitch + VPN?

[EDIT] I know there are these physical “portable” mini routers that can connect to VPN and then you can use them for your phone, laptop etc while on the go. But they all use sim cards, right? I need one that also takes both LAN and wifi, and again, I’d prefer I also had this in software only, in case you don’t have that mini router around.

[EDIT2] I also know there are some automagic installations for Linux with apps from the VPN providers that supposedly take care of things for you. Since on Windows I’ve thoroughly verified that the killswitches for those apps are useless, I’m convinced the Linux counterparts are also not airtight.

You should be able to configure the routes so that everything uses the VPN gateway and have openvpn not change the default gateway. That way of the VPN goes down you lose internet access rather than use the unencrypted network (I assume this is what you mean by kill switch). You could set it up as a script so that when you’re on a trusted network everything works without the VPN.

As for DNS I would suggest using encrypted DNS outside of the VPN so you don’t need to worry about leaks or not being able to connect to the VPN because of DNS blocking.

I haven’t found a way to forward just the VPN tun0 connection from the guest to the host. (but I’m not that great at Linux)

I have:

  1. a network connection for the physical network card. Set to “automatically connect to VPN when using this connection” (and btw this doesn’t work automatically, only works if I turn this connection off and on again, just…magic happening)
  2. a network connection that’s a VPN, according to the openvpn configs for my VPN
  3. another network connection set to “Shared to other computers” - what goes from the guest to the host OS.

Then I use the ufw firewall like so:

  • on network “1.” I disable all connections except for an arbitrary IP address from my VPN’s current IP range (which can change any moment because they’re dynamic, hence I will eventually have to go online without a VPN just to see what their new IP range is - bad!). I do this as part of the killswitch so nothing can leak unless it’s on that “trusted” IP.
  • on “2.”, the tun0 vpn, I allow everything

As for DNS I would suggest using encrypted DNS outside of the VPN so you don’t need to worry about leaks or not being able to connect to the VPN because of DNS blocking.

That’s not what I meant with the DNS. If I were to not use the VPN, I’d use openDNS.
What I meant is that due to how linux + IP layer firewalling works, I can only connect to the VPN via an IP (which is bound to change soon), whereas the VPN provider wants me to connect via a domain name…

What I would do is set up a DNS server on the guest that uses encrypted DNS (unbound can be set up for encrypted DNS). Then instead of blocking all traffic except the VPN server address, block all traffic except the VPN server port, and also allow DNS traffic to the DNS server (which will have a static IP). This way you can use the domain name to connect to the VPN server and you can configure the host to use this server as well so you have secure DNS without needing to worry about DNS leaks on the VPN.

As for forwarding the traffic you can set this up using iptables. I’m not an expert on iptables but have a look at this

essentially you want to set up the guest as a router between the interface connecting to the host and the VPN. Then on the host set the gateway of that interface to the IP of the guest. If you don’t want to use NAT then you could forward traffic from the host interface to the VPN interface but you’d have to set up a static route on the host for it to work.

1 Like

Okay, now I think I get what you’re saying. I’ll have to dig a bit to see how to actually do some of this stuff (like how to set up a DNS server) ^___^

You’re saying use ufw on the network adapter’s interface in the Guest to block everything except the VPN’s port. Then also on that interface set a custom DNS server IP, to the static IP of my custom DNS server. Cool.

Won’t this tradeoff mean that I am open to whatever part of the entire internet happens to also use that port? I guess that’s fine as long as my Host is somehow never open to *all of internet*:VPNPORT before the VPN connects. -How?

So in the second part, what interface exactly you’re saying I should I route to what? You mean create a new network to which I route the tun0 VPN packets, and then share that new network to the host (which yes will have the IP as the gateway)?
I may have understood wrong here, but isn’t the VPN something dynamic, and isn’t routing done on a static IP to static IP basis? Actually I don’t even know how the concept of “share this internet connection” is done in the backend.

No because you’ll be blocking all inbound traffic, and only allowing traffic out to that port. Setting the firewall to block all outbound traffic except to the VPN port just prevents the computer from sending traffic over the encrypted connection.

You need to have a bridge interface between the guest and the host and then you want to configure iptables to forward traffic from the bridge interface to the VPN interface. I’m not 100% on how to configure or if that link is really what you’re after but it’s something like that.

This script looks like it might be what you need, just exchange the external interface for tun0 (or whatever your VPN interface is) and the internal interface for the bridge interface between the guest and host

I saw something similar in a Defcon or Backhat conference. Although it was for TOR, it did what you are wanting I believe. It’s called Tortilla and it’s a VM that ensures nothing leaves that isn’t routed through TOR. I would think it could be adapted for a VPN right? I believe the source code is on github.

IMO, it would be easier to use a router/firewall oriented distribution like IPFire or VyOS as the router VM instead of starting with vanilla Debian.

That said, I have not used either (unless you count Vyatta on Ubiquiti routers). By reputation, BSDs are more suited to routing than Linux.

You can make a perfectly good Linux router, but it takes some configuration.

1 Like

@tabun Yeah that Tor thing is what I want but not with tor. It’s actually advised to NOT route all your traffic through tor. Not because it clogs the network (with video etc) but because it identifies you. The Defcon thing was probably aimed for your “journalist laptop” not your everything laptop.

@oO.o I need to look into the router-oriented linuxes, thanks for the links! I started off Debian because it also doubles as a common sense desktop that I can understand :slight_smile:

I looked into BSDs a lot, tried PFSense and OpnSense, but those only work expecting your WAN to be an incoming cable connection from a provider. They don’t have any logic for connecting to your random hotel or starbucks etc. and treating that as your WAN and handling various types of authentication and maintining the connections etc…

Nor is there an easy way to quickly (re)configure profiles like “if I’m on this new WiFi from space x in location y, then route these classes of things through this VPN”.

In fact, the UX paradigm and architecture of the BSDs do not afford stuff like just a popup with “your internet provider or your vpn’s IP has changed, want to reconnect?”, or a dropdown of available WiFi networks etc. It’s all a giant bottom-up system that’s not agile and comfortable enough for a laptop-only setup. That’s what I was fearing for linux-based router distros, but I haven’t actually looked into that enough

Someone needs to make a brilliant customizable user-needs-centered top level interface system for BSD :wink: Somewhere half in between “it just works” and the actual but not always useful PFSense paradigm for the corporate sysadmin scenario

I might be speaking blaspheme here…but the PIA client on windows does exactly what you’re looking to do.

I know its still windows, and windows is well, yeah. The thing is, there is a linux client as well. I havent tested it to see if the same feature exists but I could set it up on my headless box if you’re interested in the idea, just to check.


Yeah PIA has this “app” that you install in ubuntu and supposedly has a killswitch. But I read on their forums that while it’s definitely not useless (like it is in terns of reliability on windows), it can still leak on linux too (though I don’t remember the reasons off the top of my head)

Oh, I’m not sure if it was for PIA but I believe one of the failsafes was just a script that checks every second if your traffic is leaking or not. That’s equal to 0 privacy wise.

The warning it pops up when you go to enable it (at least on windows) is if you have both wired and wireless connected it can only stop one. not sure about the linux client.

I can say without a doubt that is not how it works on windows but again I havent used it on linux. I could test that theory.

Yeah I’d have to do some digging to remember. It was that there were layers of things it did to ensure a killswitch, and then if all failed then there was this time check

Have you looked into or thought about going with something like Qubes for this? You can setup a Networking VM that is set to only go over a VPN and then pass that Networking VM to any of the other work VMs you have installed. If your hardware can run it, it’d be worth a shot.

This is actually my number one complaint about *Sense. It forces you to use it as a gateway and not just a router.

I use centos and iptables as my home router

have you heard of QubesOS? that virtualizes everything. So you can have a virtual os running as your network, another as your firewall, and another for your vpn/tor/whatever and have them pass the data through each other.