How can we have an always on VPN
#1
On my android smartphone I had an 'always on' VPN. Has anyone configured their pinephone in the same way?



I would like it to start a wireguard VPN before bringing up the wifi or mobile interfaces, as well as a kill-switch if the VPN disconnects somehow.

Edit: This is what I ended up doing:

I used wg-quick and the iptables rules @tophneal suggested (I didn't use the ip6tables commands).
Code:
PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT


1. Create an appropriate config /etc/wireguard/wg0.conf and create the private/public keys

2. I turned off ipv6 because I'm not using it

/etc/sysctl.d/disable-ipv6.conf
Code:
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1

For the wg-quick script utility and for wg-quick to be able to set the DNS
Code:
pacman -S wireguard-tools  systemd-resolvconf
# use systemd-resolved for dns
systemctl enable systemd-resolved
(https://wiki.archlinux.org/title/WireGua...resolution)

3. Start the service and enable it at boot
Code:
# Try starting and stopping the service to ensure the configuration is working
wg-quick up wg0
# test the config
wg-quick down wg0

# enable the service
systemctl enable wg-quick@wg0


Caveats:
The VPN is not started until the network is already up, so there is a short time during boot where packets could leak. Since it should still stay online when it's disconnected and when we changing interfaces, this was an acceptable compromise for me.

We could further improve it by copying and modifying the wg-quick systemd service so that it adds the firewall rule before we connect to the vpn and have it start earlier in the boot.
(see https://www.wireguard.com/netns/ for other ideas and explanation of how the wg-quick routing works)

Edit 2:
Now that I've tested it with the mobile modem as well, it turns out that the connection is not maintained when the interface changes. Based on the wg-quick rules I thought that it would continue to work, so further changes are needed.

Edit 3:
To work around this issue in the meantime I am persisting the killswitch firewall rule when restarting the VPN, using ' -C <rule> || -I <rule' so that the rule is only added once.
Code:
PostUp  =  iptables -C OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT || iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
# PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
  Reply
#2
you should be able to setup your WG server/client with a kill switch. You can certainly also use WG as always on (i think WG calls it On-Demand.) You're unlikely to be able to connect to WG without your network services already up, though. But you can edit the config to add the kill switch. this link should help you get it set up https://www.ivpn.net/knowledgebase/linux...ll-switch/
  Reply
#3
(03-09-2022, 07:01 AM)robocone Wrote: On my android smartphone I had an 'always on' VPN. Has anyone configured their pinephone in the same way?

I would like it to start a wireguard VPN before bringing up the wifi or mobile interfaces, as well as a kill-switch if the VPN disconnects somehow.

I had a script on a previous linux phone to always establish a SSH tunnel(similar to a VPN) to my VPS for all traffic as part of any routeable internet connection.
For the price of most VPNs other than options for switchable location(mostly for TV streaming I think) a cheap Linux(not Windows) VPS does everything, including running a bog standard VPN better and more privately than an average VPN service if you have the skills and a few minutes spread over an afternoon to set it all up.  Some services even take crypto for a more annon setup.
  Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)