SparkLabs Forum.

Community Help.


Block network connections if VPN not connected

Hi,

I seem to remember this may have been asked before, but I can't find it....

I use Viscosity with Witopia and would like to have my Mac automatically connect to it and automatically reconnect if it drops. Basically I want that VPN connection running all the time with all traffic forced over it.

In addition, I would like for all network connections from the machine to be blocked IF the VPN connection is down (I guess except connections to that specific VPN server)

Is that at all possible?

Thanks,
Ben
Hi Ben,

In most cases OpenVPN itself should be automatically retrying if the connection to the VPN server drops. If this isn't occurring, make sure you have the Persist Tun and Persist Key options checked. For more serious dropouts (where your computer loses its network connection) Viscosity should inform you that the vpn connection has been disconnected and ask if you want it to automatically reconnect when the network becomes available again. Click the "Automatically Connect" button, and tick the "Do not show this message again" checkbox so this action is always performed.

See these two forum posts regarding blocking traffic when the VPN is not active:
viewtopic.php?p=1417#p1417
viewtopic.php?p=771

Cheers,
James
James wrote:
Click the "Automatically Connect" button, and tick the "Do not show this message again" checkbox so this action is always performed.


Thanks James... Can you advse where to find this option exactly? Am running 1.3.4 (1030) Witopia edition and can't find it.
Also will this connect automatically on startup? Or only reconnect an already-running connection when dropped?
Thanks, Ben
Hi Ben,

While connected to your VPN server, pull your network cable out (or turn off your wifi) and you should see it.

To have a connection connect when Viscosity starts up, edit it in Viscosity and tick the "Connect when Viscosity opens" checkbox in the bottom left.

Cheers,
James
James wrote:
While connected to your VPN server, pull your network cable out (or turn off your wifi) and you should see it.


When I do that, the connection icon stays green, then eventually goes to orange, but I get no pop-up window. Tried it on wifi and ethernet.
I would suggest that the "automatically re-connect" functionality would be better placed as a checkbox in that connection's setup details/preferences.
Thanks,
Ben
Hi Ben,

Try with the latest beta version instead. It does contain a number of improvements regarding detecting server reachability:
viewtopic.php?p=134#p134

Cheers,
James
The "automatically connect" is working now with the latest beta.
I'll look into the blocking-when-not-connected later.
Thanks....
Hello,

I was able to block connections in case the VPN drops using the the new firewall utility that comes with Lion: pf

This is what I did to set new basic rules for the firewall, and enable It at startup:

First I went to /etc/pf.conf and added the following lines to the end of the txt file, after the "load anchor "com.apple" from "/etc/pf.anchors/com.apple"" line:

Code: Select all

IF = en0
IF_VPN = tun0

set skip on lo0

block log all

pass on $IF proto { udp, tcp } to { server-ip1, server-ip2, server-ip3, server-ip4 } port { 1194, 443 }

pass on $IF_VPN


The first line tells what interface you're using to connect, I'm connecting directly by a ethernet cable, that's why I used "IF = en0", you can change that to "IF = en1" if using wifi or "IF = ppp0" if using a usb 3g modem.

The rest is vpn-provider specific, my provider has 4 different servers, available on the 1194 udp port or 443 tcp port, using the tun0 interface.

My vpn uses ip addresses in Its config file, but some providers use a hostname instead (like server.vpnvprovider.com), I'm not sure if a hostname can be used inside the {} as in:

Code: Select all

pass on $IF proto { udp, tcp } to { server.vpnvprovider.com } port { 1194, 443 }


It's probably possible but we would have to leave port 53 open so the DNS resolves the hostname to an ip, and I suppose that could be considered a "leak" :)
In case your provider provide you only with a hostname instead of an ip address, you can find out the ip addresses using the terminal with the command "nslookup". Example:

Code: Select all

nslookup google.com

Non-authoritative answer:
Name:   google.com
Address: 173.194.34.112
Name:   google.com
Address: 173.194.34.113
Name:   google.com
Address: 173.194.34.114
Name:   google.com
Address: 173.194.34.115
Name:   google.com
Address: 173.194.34.116


Now you can add the addresses It returns to the "pass on $IF proto { udp, tcp } to { server-ip1, server-ip2, server-ip3, server-ip4 } port { 1194, 443 }" line.

Finally, to start the firewall up and make It start at startup (It's off by default), go to /System/Library/LaunchDaemon/com.apple.pfctl.plist, and edit that file to add a "<string>-e</string>" line so that part looks like this:

Code: Select all

   <array>
      <string>pfctl</string>
      <string>-e</string>
      <string>-f</string>
      <string>/etc/pf.conf</string>
   </array>


Reboot and the the firewall should be be up now, It will appear as if you're not connect to any network, the only app that will be able to use the internet will be Viscosity, you can run It now and connect to your VPN :)

I hope this helps, I tested this a little and It worked fine for me, but I barely know know to use pf, so I hope I haven't done anything wrong (:

To disable the firewall just edit /System/Library/LaunchDaemon/com.apple.pfctl.plist back to what It was and reboot.
Thanks for your contribution rink - I'm sure others will find it very handy!

Cheers,
James
rink,

That's very useful. Thank you!

The only thing I'd mention would be that it's actually:

Code: Select all

/System/Library/LaunchDaemons/com.apple.pfctl.plist


not:

Code: Select all

/System/Library/LaunchDaemon/com.apple.pfctl.plist


I.e., 'LaunchDaemons' is plural.
14 posts Page 1 of 2

Copyright © 2016 SparkLabs Pty Ltd. All Rights Reserved. Privacy Policy