this post was submitted on 27 Apr 2025

33 points (92.3% liked)

Linux

53684 readers

547 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

Allow traffic only through tun0 via wlan0, ssh, and localhost in and out (self.linux)

submitted 3 days ago* (last edited 3 days ago) by sykaster to c/linux@lemmy.ml

29 comments fedilink hide all child comments

Hi all, I'm trying to have my rpi5 running raspberry OS communicate with the Internet only through the tun0 interface (vpn). For this I wanted to create a ufw ruleset. Unfortunately, I've hit a roadblock and I can't figure out where I'm going wrong.

Can you help me discover why this ruleset doesn't allow Internet communication over tun0? When I disable ufw I can access the Internet.

The VPN connection is already established, so it should keep working, right?

I hope you can help me out!

This is the script with the ruleset: sudo ufw reset

Set default policies

sudo ufw default deny incoming

sudo ufw default deny outgoing

Allow SSH access

sudo ufw allow ssh

Allow local network traffic

sudo ufw allow from 192.168.0.0/16

sudo ufw allow out to 192.168.0.0/16

Allow traffic through VPN tunnel

sudo ufw allow in on tun0

sudo ufw allow out on tun0

Add routing between interfaces (I read its necessary, not sure why?)

sudo ufw route allow in on tun0 out on wlan0

sudo ufw route allow in on wlan0 out on tun0

sudo ufw enable

you are viewing a single comment's thread
view the rest of the comments

[–] just_another_person@lemmy.world 5 points 3 days ago* (last edited 3 days ago) (1 children)

ufw is a firewall. Routing controls traffic flow. You want to set the default route of that machine to only use the tun0 interface. Random link explains

As a secondary step you can set your firewall to block any traffic trying to exit an interface I suppose, but it really shouldn't be necessary.

For your other services on the local network for your subnet, just add a secondary route only for your subnet that uses your router as a gateway.

[–] sykaster 1 points 3 days ago (2 children)

That makes sense, but it's possible that the VPN connection drops for a second, and then it can't re-establish it, right? How would I deal with that?

[–] JoeyHarrington@lemmy.ca 1 points 3 days ago

Remove default route using physical interface

Add route only to the IP of the VPN server

Bring up VPN

Add default route to traverse the tunnel

[–] just_another_person@lemmy.world 1 points 3 days ago (1 children)

It wouldn't be able to communicate with the internet, but would still be able to talk to your local network.

If that's not specifically what you're trying to do, and you don't care if traffic might go out over your regular Internet connection, then you can create a fail over type situation where it will try and use a "backup" route to communicate to the internet if needed, though you'll need to spend some time really making it pretty smooth: https://www.baeldung.com/linux/multiple-default-gateways-outbound-connections

[–] sykaster 1 points 3 days ago (2 children)

I guess what I'm really trying to do is make sure that whatever happens, if the vpn fails (tun0), there is no more communication with the Internet.

[–] HelloRoot@lemy.lol 1 points 3 days ago* (last edited 3 days ago)

That is called a "Kill Switch" try to search for that.

[–] just_another_person@lemmy.world 0 points 3 days ago (1 children)

Then the first setup does that.

[–] sykaster 1 points 3 days ago (1 children)

Except that that set of rules doesn't work, or do you mean defining a default gateway?

[–] just_another_person@lemmy.world 0 points 3 days ago

The default gateway. If it's not passing traffic, your machine doesn't go looking elsewhere for routes that work. Read through both the links, and they'll give you extra background.