[Enhancement] Kill Switch should allow local network traffic about linux-cli-community HOT 6 CLOSED

The hook option is not a bad idea, although it's a bit of an advanced feature and therefore not really suitable for the majority of users.

What I'd prefer is finding a good way to still allow the local network, but it needs to be solid.

I know that this is a problem and needs to be worked out. I think quite a few people would use the Kill Switch to secure a torrent server. And that's not really possible when blocking local traffic.

from linux-cli-community.

I'd like to do that but I see two problems with it.

The current implementation of the Kill Switch forces all traffic over the OpenVPN interface as it practically blocks the other interfaces entirely. What I fear with allowing local addresses is some edge case where it doesn't work correctly and then exposing traffic.

And the problem with adding custom rules is that they need to be stored somewhere, let's say in their own file. Because whatever stands in that file is then executed as root, it would need to be properly sanitized to not allow any command to be run. And that's pretty much impossible.

I'm open for ideas on how to solve this. If someone has something in their mind, please share!

from linux-cli-community.

I see your points. I agree is not easy and this is a sensitive mode of operation so we should be extra careful.

But the current kill switch implementation makes it unusable on any kind of server / headless computer. When I was trying it my ssh session died. Fortunately it was a VM so I could access via virtual console.

Maybe having hooks I could put a script on the connect hook. Might make sense for other use cases. As an advanced feature, so you don't need to worry about running it as root, it's a user responsibility.

from linux-cli-community.

Thank you all for looking into this. I hadn’t realized that the killswitch option was the cause of my issues until I contacted ProtonVPN support. I had assumed the Linux client would have the same behavior as my Mac desktop client, allowing local access while also having killswitch enabled.

@Rafficer i may try out your patch this weekend if I have time

from linux-cli-community.

If one of you has experience with Python, it would also be great if you could review #45 :) Only thing that's holding the merge back is that I wanted to have it reviewed thoroughly.

from linux-cli-community.

I'm not a python expert but it looks good to me.

from linux-cli-community.