Hi all, I’m trying to have my rpi5 running raspberry OS communicate with the Internet only through the tun0 interface (vpn). For this I wanted to create a ufw ruleset. Unfortunately, I’ve hit a roadblock and I can’t figure out where I’m going wrong.

Can you help me discover why this ruleset doesn’t allow Internet communication over tun0? When I disable ufw I can access the Internet.

The VPN connection is already established, so it should keep working, right?

I hope you can help me out!

This is the script with the ruleset: sudo ufw reset

Set default policies

sudo ufw default deny incoming

sudo ufw default deny outgoing

Allow SSH access

sudo ufw allow ssh

Allow local network traffic

sudo ufw allow from 192.168.0.0/16

sudo ufw allow out to 192.168.0.0/16

Allow traffic through VPN tunnel

sudo ufw allow in on tun0

sudo ufw allow out on tun0

Add routing between interfaces (I read its necessary, not sure why?)

sudo ufw route allow in on tun0 out on wlan0

sudo ufw route allow in on wlan0 out on tun0

sudo ufw enable

  • mnmalst@lemmy.zip
    4·
    16 hours ago

    This is how I do it:

    sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw allow out on tun0 from any to any

sudo ufw allow out to VPN_IP_ADDRESS proto udp

    You have to do the last line for all your VPN server ips or the initial DNS request will not go through. If you connect through udp.

    • catloaf@lemm.eeEnglish
      1·
      18 hours ago

      *or the initial VPN connection request will not go through.

      But mentioning DNS is a good point: if you’re addressing your VPN server by hostname, your client will need to be able to resolve that name somehow, either by running a DNS server elsewhere on your LAN and allowing traffic to the LAN (which is how I do it) or by allowing DNS traffic from the VPN client to a DNS server on the Internet.

    • sykaster@feddit.nlOPEnglish
      11·
      20 hours ago

      Interesting, but by the time I apply the rules the VPN connection has already been established. Wouldn’t that remove the necessity for the last line?

      • mnmalst@lemmy.zip
        1·
        20 hours ago

        Just to be clear this is a killswitch, that’s what you want right? So that it’s only possible to connect through the VPN (tun0). And if the VPN goes down your internet gets “killed” so you don’t leak your IP.

        In that case you want to start ufw when you system starts, so you would need to whitelist your VPN but if your VPN is already connected it should work without whitelisting the IP I guess but never tried it since that’s not recommended.

        • sykaster@feddit.nlOPEnglish
          2·
          19 hours ago

          Understood, yes it’s a kill switch. I’ll test your set of rules in a bit and let you know!