Hello!
I’m trying to setup VPN kill switch inside two of the VMs and i need help setting up firewall rules.
Both VMs are running:
- EndeavourOS
- ufw (firewall)
- KDE
- VPN (Using Network-Manager)
VM1 has openvpn setup and VM2 has wireguard Setup. IPv6 is already disabled.
Goal: No network access when vpn tunnel goes down aka kill switch.
Will i be alright if i did the following:
- For VM1 (OpenVPN):
sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw allow out on tun0 from any to any
sudo ufw allow in on tun0 from any to any
sudo ufw allow out 1194/udp
sudo ufw allow in 1194/udp
- For VM2 (Wireguard):
Adding the following to the [Interface] section of /etc/wireguard/wg0.conf
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
Am i missing anything here? Does this look good?