Block network connections if VPN not connected

Got a problem with Viscosity or need help? Ask here!

occamsrazor

Posts: 10
Joined: Mon Apr 26, 2010 5:42 am

Post by occamsrazor » Tue Nov 08, 2011 9:30 pm
Hi,

I seem to remember this may have been asked before, but I can't find it....

I use Viscosity with Witopia and would like to have my Mac automatically connect to it and automatically reconnect if it drops. Basically I want that VPN connection running all the time with all traffic forced over it.

In addition, I would like for all network connections from the machine to be blocked IF the VPN connection is down (I guess except connections to that specific VPN server)

Is that at all possible?

Thanks,
Ben

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Nov 11, 2011 11:01 pm
Hi Ben,

In most cases OpenVPN itself should be automatically retrying if the connection to the VPN server drops. If this isn't occurring, make sure you have the Persist Tun and Persist Key options checked. For more serious dropouts (where your computer loses its network connection) Viscosity should inform you that the vpn connection has been disconnected and ask if you want it to automatically reconnect when the network becomes available again. Click the "Automatically Connect" button, and tick the "Do not show this message again" checkbox so this action is always performed.

See these two forum posts regarding blocking traffic when the VPN is not active:
http://www.thesparklabs.com/forum/viewt ... 1417#p1417
http://www.thesparklabs.com/forum/viewtopic.php?p=771

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

occamsrazor

Posts: 10
Joined: Mon Apr 26, 2010 5:42 am

Post by occamsrazor » Mon Nov 14, 2011 9:08 pm
James wrote:
Click the "Automatically Connect" button, and tick the "Do not show this message again" checkbox so this action is always performed.
Thanks James... Can you advse where to find this option exactly? Am running 1.3.4 (1030) Witopia edition and can't find it.
Also will this connect automatically on startup? Or only reconnect an already-running connection when dropped?
Thanks, Ben

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Nov 15, 2011 12:14 am
Hi Ben,

While connected to your VPN server, pull your network cable out (or turn off your wifi) and you should see it.

To have a connection connect when Viscosity starts up, edit it in Viscosity and tick the "Connect when Viscosity opens" checkbox in the bottom left.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

occamsrazor

Posts: 10
Joined: Mon Apr 26, 2010 5:42 am

Post by occamsrazor » Tue Nov 15, 2011 7:18 pm
James wrote:
While connected to your VPN server, pull your network cable out (or turn off your wifi) and you should see it.
When I do that, the connection icon stays green, then eventually goes to orange, but I get no pop-up window. Tried it on wifi and ethernet.
I would suggest that the "automatically re-connect" functionality would be better placed as a checkbox in that connection's setup details/preferences.
Thanks,
Ben

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Nov 15, 2011 9:38 pm
Hi Ben,

Try with the latest beta version instead. It does contain a number of improvements regarding detecting server reachability:
http://www.thesparklabs.com/forum/viewt ... p=134#p134

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

occamsrazor

Posts: 10
Joined: Mon Apr 26, 2010 5:42 am

Post by occamsrazor » Mon Nov 28, 2011 7:18 pm
The "automatically connect" is working now with the latest beta.
I'll look into the blocking-when-not-connected later.
Thanks....

rink

Posts: 1
Joined: Sun Jan 01, 2012 6:24 pm

Post by rink » Sun Jan 01, 2012 7:04 pm
Hello,

I was able to block connections in case the VPN drops using the the new firewall utility that comes with Lion: pf

This is what I did to set new basic rules for the firewall, and enable It at startup:

First I went to /etc/pf.conf and added the following lines to the end of the txt file, after the "load anchor "com.apple" from "/etc/pf.anchors/com.apple"" line:
Code: Select all
IF = en0
IF_VPN = tun0

set skip on lo0

block log all

pass on $IF proto { udp, tcp } to { server-ip1, server-ip2, server-ip3, server-ip4 } port { 1194, 443 }

pass on $IF_VPN

The first line tells what interface you're using to connect, I'm connecting directly by a ethernet cable, that's why I used "IF = en0", you can change that to "IF = en1" if using wifi or "IF = ppp0" if using a usb 3g modem.

The rest is vpn-provider specific, my provider has 4 different servers, available on the 1194 udp port or 443 tcp port, using the tun0 interface.

My vpn uses ip addresses in Its config file, but some providers use a hostname instead (like server.vpnvprovider.com), I'm not sure if a hostname can be used inside the {} as in:
Code: Select all
pass on $IF proto { udp, tcp } to { server.vpnvprovider.com } port { 1194, 443 }
It's probably possible but we would have to leave port 53 open so the DNS resolves the hostname to an ip, and I suppose that could be considered a "leak" :)
In case your provider provide you only with a hostname instead of an ip address, you can find out the ip addresses using the terminal with the command "nslookup". Example:
Code: Select all
nslookup google.com

Non-authoritative answer:
Name:	google.com
Address: 173.194.34.112
Name:	google.com
Address: 173.194.34.113
Name:	google.com
Address: 173.194.34.114
Name:	google.com
Address: 173.194.34.115
Name:	google.com
Address: 173.194.34.116
Now you can add the addresses It returns to the "pass on $IF proto { udp, tcp } to { server-ip1, server-ip2, server-ip3, server-ip4 } port { 1194, 443 }" line.

Finally, to start the firewall up and make It start at startup (It's off by default), go to /System/Library/LaunchDaemon/com.apple.pfctl.plist, and edit that file to add a "<string>-e</string>" line so that part looks like this:
Code: Select all
	<array>
		<string>pfctl</string>
		<string>-e</string>
		<string>-f</string>
		<string>/etc/pf.conf</string>
	</array>
Reboot and the the firewall should be be up now, It will appear as if you're not connect to any network, the only app that will be able to use the internet will be Viscosity, you can run It now and connect to your VPN :)

I hope this helps, I tested this a little and It worked fine for me, but I barely know know to use pf, so I hope I haven't done anything wrong (:

To disable the firewall just edit /System/Library/LaunchDaemon/com.apple.pfctl.plist back to what It was and reboot.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Jan 02, 2012 3:21 am
Thanks for your contribution rink - I'm sure others will find it very handy!

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

Fhoxh

Posts: 2
Joined: Mon Jan 02, 2012 5:47 pm

Post by Fhoxh » Mon Jan 02, 2012 5:51 pm
rink,

That's very useful. Thank you!

The only thing I'd mention would be that it's actually:
Code: Select all
/System/Library/LaunchDaemons/com.apple.pfctl.plist
not:
Code: Select all
/System/Library/LaunchDaemon/com.apple.pfctl.plist
I.e., 'LaunchDaemons' is plural.
14 posts Page 1 of 2