Hi. I’ve just managed to set up Brian Hornsby’s OpenVPN addon on my Vero 4K+. It was a steep learning curve for me but my vpn (PIA) seems to be working great - thanks to those who have taken the time to share step by step instructions! The only thing I have absolutely no idea about is whether my internet connection will be cut automatically if the vpn drops for any reason, which is what I would want to happen. I’ve also no idea if the OpenVPN addon will notify me if the vpn unexpectedly disconnects. I’ve read a bit about IP tables/ kill switches, but doesn’t make much sense to me yet. Can someone point me in the right direction or offer any advice please? Thanks.
Hi,
I don’t think Brian Hornsby’s addon comes with a kill switch, it can be be implemented via the command line.
Setup is discussed here:
Thanks Tom.
Hey, many thanks Tom. There’s a lot for me to take in here so will need some time to get my head around this. Really appreciate the response.
Hi Tom
I have to admit I’m not really sure what I’m doing here (although I’m quite enjoying trying to learn), but this is what I’ve done so far. If you haven’t got time for this then no problem, it’s not vital I make this work.
sudo cp /lib/systemd/system/openvpn@.service /etc/systemd/system/openvpn@.service
sudo nano /etc/systemd/system/openvpn@.service
then added the following under services
Restart=on-failure
RestartSec=5
Then Sudo iptables to make mine look exactly like this…
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1198 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -j DROP
Is this correct? No idea if my information needs to be adapted from this example, which I copied from the thread you linked me to.
When I type curl ipinfo.io/ip with vpn on, it returns my vpn’s address. With the vpn turned off, it returns nothing. I also tried disconnecting the vpn (via Brian Hornsby’s addon) whilst streaming something and the stream continued for around 5-10 seconds then stopped - Vero hung for a while, then no ip address was being issued when I checked.
I didn’t want to go any further at this point. I tried to save these settings in order to save me editing iptables each time after reboot whilst experimenting, but building(?) iptables-persistent hung on 0%.
Interested to hear you thoughts - this may be a step too far for me.
Thanks
Hi,
If you are using Brian Hornby’s addon, this bit shouldn’t be required; as the addon is starting openvpn. It doesn’t look you’ve enabled it, so just leave as it is and concentrate on the Iptables bit.
This would confirm the the kill switch is running as expected.
This shouldn’t be happening. I would try rebooting, add the firewall rules in again and issue:
sudo apt-get install iptables-persistent
sudo netfilter-persistent save
sudo systemctl enable netfilter-persistent
Thanks Tom.
Hi
Thanks for the response.
If you are using Brian Hornby’s addon, this bit shouldn’t be required
Ah, that makes sense.
I managed to get the last three commands to work this time and it looks like it’s all working. After cutting the vpn, streamed video continues to play for 10-15 seconds before stopping - I’m guessing that’s video that’s been downloaded into cache(?) rather than the video continuing to download after disconnecting the vpn?
I suggest changing the nameserver ip addresses, in /etc/resolv.conf to PIAs:
209.222.18.222 and 209.222.18.218
I’m guessing this is also irrelevant in my case?
Can I also just check that the iptables I copied don’t need to be modified in any way for my own network?
Thanks again.
Sorry Tom, a couple more questions then I’ll leave you alone.
When creating a login.conf file (I created a pass.txt file instead) with my username and password in /etc/openvpn do I need do the following…?
sudo chmod 400 /etc/openvpn/login.conf (/pass.txt)
I missed this bit out but all seems ok.
Also, are these steps necessary to prevent DNS leaks now I have edited iptables?
-
sudo apt-get install openresolv
-
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
Thank you.
Hi,
Sounds right to me.
You don’t need /etc/openvpn/login.conf (/pass.txt), as you’ve set the login via the brian hornsby addon.
The easiest way to prevent dns leaks, without openresolv, is just to use dns servers which are not provided by your ISP and being as you want vpn to be always on; this is what I would do. Set a static IP (If you haven’t already got one) via MyOSMC and set the dns servers to either the ones provided by your vpn provider or use 1.1.1.1 & 1.0.0.1
Thanks Tom.
Thank mate, all makes sense. Appreciate your time. I’d set a few things up prior to using Brian Hornsby addon (like pass.txt) so now realise I don’t need to do this.