NOTE: ca284a9 fixes a potential dns leak (#25)

vpnfailsafe prevents a VPN user's ISP-assigned IP address from being exposed on the internet, both while the VPN connection is active and when it goes down.

vpnfailsafe doesn't affect traffic to/from private networks, or disrupt existing firewall rules beyond its intended function.

vpnfailsafe ensures that all traffic to/from the internet goes through the VPN. It is meant to be executed by OpenVPN when the tunnel is established (--up), or torn down (--down).

On --up:

• All configured VPN server domains are resolved and saved in /etc/hosts.
• Routes are set up, so that all traffic to the internet goes over the tunnel. The original default route is preserved and two more specific ones are added (mimicking --redirect-gateway def1) + routes to all configured VPN servers are added.
• /etc/resolv.conf is updated, so only the DNS servers pushed by the VPN server are used.
• iptables rules are inserted at the beginning of INPUT, OUTPUT and FORWARD chains to ensure that the only traffic to/from the internet is between the VPN client and the VPN server.

On --down:

• The /etc/hosts entries for VPN servers remain in place, so the VPN connection can be re-established without allowing traffic to DNS servers outside the VPN.
• Previously added routes are removed.
• Previous /etc/resolv.conf is restored.
• Firewall rules remain in place, allowing only the re-establishment of the vpn tunnel.

Save vpnfailsafe.sh in /etc/openvpn, make it executable and add the following lines to /etc/openvpn/<your_provider>.conf:

script-security 2
up /etc/openvpn/vpnfailsafe.sh
down /etc/openvpn/vpnfailsafe.sh

That's it.

Since vpnfailsafe contains the functionality of the popular update-resolv-conf.sh script, the two don't need to be combined.

A complete configuration example is included as extras/example.conf.

Arch Linux users may choose to install the vpnfailsafe-git package from AUR instead.

vpnfailsafe works only on Linux.

Dependencies are minimal (listed in the PKGBUILD file). Of note is the openresolv requirement. There are at least two different, popular packages providing the resolvconf binary, which are not compatible (one supports the -x switch used by vpnfailsafe and the other does not). On distributions where multiple implementations are available, openresolv should be chosen.

The only assumption is that the VPN server will push at least one DNS server to the client.

vpnfailsafe does not handle ipv6 at all. To prevent leaks, ipv6 should be disabled and/or blocked. See: extras/disable_ipv6.conf for an example of a sysctl config file that disables it and extras/block_ipv6.sh for firewall rules to block it.

vpnfailsafe has been tested with all device types and topologies supported by OpenVPN.

This usually means that OpenVPN was executed without sufficient privileges. But if the line is followed by "Linux ip -6 addr add failed: external program exited with error status: 2", then it probably means, that ipv6 is disabled on the system, but the VPN server is pushing ipv6-related options and the client fails trying to run `ip -6' to honor them. The following two options can be added to the client config to make it ignore the ipv6-related configuration:

pull-filter ignore "ifconfig-ipv6 "
pull-filter ignore "route-ipv6 "

(included in extras/example.conf)

Those errors can be ignored safely. They appear when OpenVPN tries to set up a route, that's already been created by vpnfailsafe. Adding the route-noexec option will tell OpenVPN to leave routing to vpnfailsafe and prevent those errors from appearing.

Send the HUP signal to OpenVPN upon reconnection.

Dhcpcd users would use dhcpcd-run-hooks, NetworkManager users would use a dispatcher script (e.g.: extras/pkill_hup_openvpn).

vpnfailsafe will revert all changes when the tunnel is closed, except for the firewall rules. You can restore those using the init script that set the iptables rules on boot, or by using iptables-restore, or by otherwise removing the VPNFAILSAFE_INPUT, VPNFAILSAFE_OUTPUT and VPNFAILSAFE_FORWARD chains.

The /etc/hosts entries may eventually become stale and also require removal.

The extras/vpnfailsafe_reset.sh script can be used to achieve that.

Yes. See "How does it work ?" for more details.

That being said, if your life, job, or whatever you care about depend on your IP not leaking, consider that this script has been tested by only a handful of people. YMMV.

No. Application level leaks can still happen, via protocols like WebRTC. The user can also announce their identity to the world and no script will stop them.

Yes. vpnfailsafe limits what kind of traffic is allowed, but only to achieve its goals. Otherwise everything is passed through to pre-existing firewall rules.

An example of a basic firewall is included as extras/basic_firewall.sh.

One would think so, but then one would be wrong.

What is out there are mostly "applications", with non-optional GUIs and thousands of lines of code behind them, often VPN-provider specific.

As far, as OpenVPN goes - you can check the hardening section of the official documentation.

The steps necessary to run OpenVPN as an unprivileged user can be run automatically via the openvpn-unroot script.