Linux - Kill-switch using the Uncomplicated Firewall (UFW)

Step 1: Let’s update your fresh install ubuntu.

sudo apt update

Step 2: Now that its already updated let’s move on to installing an uncomplicated firewall

sudo apt install ufw

Step 3: Okay, let’s not forget our VPN client installation of course.

sudo apt install OpenVPN

Step 4: You can skip this part if you don’t use ipv6same as me, The following commands are intended only for persons disabling ipv6.

sudo apt install vim
sudo vim /etc/default/ufw

Step 5: changing [ipv6=yes]into [IPv6=no] then hit [esc] and press :wq to save and quit edit. Now ufw is already installed and configured in /etc/default/ufw Let’s download our VPN configuration file which can be used to connect on our desired VPN servers, Now let’s navigate to the VPN integrations section then click OpenVPN after that it will redirect you to another page in the bottom part of it you will find different Download Config.

Step 5: So we already downloaded the VPN configuration file then that’s the time to fire up your console terminal and locate the directory where the VPN configuration file was installed. In order to connect to your desired VPN server here’s the command.

sudo openvpn --config file.ovpn

Step 7: Here’s another trick to improve your security while using OpenVPN to limit some issues while using root since we are using OpenVPN as root.

sudo openvpn --user <username> --group <groupname> --config file.ovpn

Step 8: Another option for security while using OpenVPN for the person that is more paranoid than me.

sudo openvpn --user <username>--group <groupname> --auth-nocache --mssfix --config file.ovpn

Step 9: Knowing that option — mssfixMTU(Maximum Transmission Units) sizing issues and --auth-nocache to avoid caching the username and password in virtual memory. Here’s the success established VPN connection log.

Step 10: We already verified that our VPN configuration file is working, Now is the time to configure the ports using ufw.

sudo ufw default deny incoming
sudo ufw default deny routed
sudo ufw default deny outgoing

Step 11: You’re connected to the wifi but ain’t got any internet access, Good, now let us add another command.

sudo ufw allow out on tun0 #tunnel interface for vpn
sudo ufw allow out on tun0 to any port 443 proto <udp/tcp> #https
sudo ufw allow out on tun0 to any port 80 proto <udp/tcp> #http
sudo ufw allow out on tun0 to any port 22 proto <udp/tcp> #ssh

Step 12: Let’s get the IP and port of our VPN based on the configuration file that we have using cat <vpn-file> | head.

Step 13: Take a look at the remote section, Our IP 37.48.85.9, and our port 1194 in TCP protocol, Let’s add the IP and port.

sudo ufw allow out to 37.48.85.9 port 1194 proto tcp

Step 14: In the DNS part you can use 8.8.8.8, 9.9.9.9, 1.1.1.1.

sudo ufw allow out on tun0 to 1.1.1.1 port 53

Step 15: or you can use this simple command.

sudo ufw allow 53/udp

sudo ufw enable

Step 16: Done. Reverting and debugging the process if you still have no internet access you can try this command.

sudo ufw default allow outgoing, sudo ufw reset or sudo ufw disable

Did this answer your question?