Hi there,
I tried to implement a manual VPN killswitch in addition to Proton VPN app’s one:
# block client-forwarded traffic to eth0
nft add rule ip qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
This will block client qube FORWARD traffic and works so far.
Now traffic generated on netVM itself (OUTPUT) still needs to be blocked, if not coming from ProtonVPN app process. For this I replicated Configuring a ProxyVM VPN Gateway , using a separate protonvpn group for the app:
Used rules:
# block output traffic, except for group 'protonvpn'
nft 'add chain ip qubes output { type filter hook output priority 0; policy accept; }'
nft 'add chain ip6 qubes output { type filter hook output priority 0; policy accept; }'
nft insert rule ip qubes output oifname eth0 counter drop
nft insert rule ip6 qubes output oifname eth0 counter drop
nft insert rule ip qubes output oifname eth0 skgid protonvpn counter accept
nft insert rule ip6 qubes output oifname eth0 skgid protonvpn counter accept
Starting ProtonVPN app:
# add user to sudo group, for change to protonvpn group
# (assumes passwordless-root and standalone vm for test)
user@protonvpn-app:~$ sudo usermod -aG sudo user # re-login after
user@protonvpn-app:~$ sudo -E -g protonvpn protonvpn-app
This does not work yet.
Inspecting nft list ruleset shows, that packet counter for eth0 skgid protonvpn counter accept rule increments, so there definitely are matches … but apparently not all needed packets. I would have expected, ProtonVPN app process does all network-related connections. Is this maybe due to Proton VPN apps dependency on NetworkManager?
Any ideas are welcome.