Firewall integration

I'm using ferm, an iptables frontend to configure a local fw on my machine.

In bitmask-dev there was a command for bitmaskd that would reload the fw rules (see bitmask-dev#9263 (closed) for details), and a way of querying if the VPN was up. How would I do this with riseup-vpn ?

I find this use case to be for advanced users, I don't want to add a knob in the UI for that as I think it will confuse users.

We could explore a command, or an extra one or extend bitmask-root. But that will require the command to be aware of the gateways IPs from eip-service.json.

As a hack you can run manually:

/snap/bin/riseup-vpn.bitmask-root firewall start ip ip ip ip

With the IPs of the riseup-vpn nodes that you can find in the eip-service.json.

@meskio riseup-vpn doesn't save a file named eip-service.json anywhere in ~/.config/leap unfortunatly, or am I wrong ?

@varac you are right, eip-service.json is now being downloaded in memory. You could fetch it from https://api.black.riseup.net/1/config/eip-service.json.

The thing is - I need a way to determine if VPN is connected. Otherwise running riseup-vpn.bitmask-root will break networking as well :/ How would I find out ?

What do you mean by 'break networking'? The bitmask-root should set a firewall that will allow the VPN to connect and block any other traffic, is not that what you want?

I mean, when riseup-vpn is not running, running riseup-vpn.bitmask-root will block network traffic. Try yourself: Withour riseup-vpn running, start

sudo /snap/bin/riseup-vpn.bitmask-root firewall start 37.218.241.7 198.252.153.28 103.16.26.163 37.218.242.216 5.79.86.180 199.58.81.145

And it will block a running ping i.e. immediatly.

So this is the script I'm using to ensure firewall integration into ferm:

#!/bin/bash
# hacky workaround until https://0xacab.org/leap/riseup_vpn/issues/46 is solved

GATEWAY_CACHE="/home/varac/.config/leap/custom/riseup-vpn-gateways.txt"
URL='https://black.riseup.net/1/config/eip-service.json'

fetch_gateway_ips () {
  gateways="$(timeout 5 curl -s $URL | jq -r '.gateways[].ip_address')"
  echo "$gateways"
}

if ! ( pgrep -f 'riseup-vpn.*openvpn' > /dev/null )
then
  echo 'No Riseup VPN running - doing nothing.'
  exit 0
fi


gw="$(fetch_gateway_ips)"
if [ -n "$gw" ]; then
  # cache the gateways to disk after successful parsing of eip-service.json
  echo "Successfullly fetch list of gateways from $URL, caching list to $GATEWAY_CACHE"
  echo "$gw" > $GATEWAY_CACHE
else
  echo "Couldn't fetch list of gateways from $URL, using cached list from $GATEWAY_CACHE"
  gw="$(cat $GATEWAY_CACHE)"
fi

# echo "$gw"

sudo /snap/bin/riseup-vpn.bitmask-root firewall start ${gw/ /$'\n'/}

I'm using a ferm hook like this:

# Hooks
# reload riseup-vpn firewall
@hook post "/home/varac/bin/riseup-vpn-reload-fw.sh";

I'd love to have the above script logic implemented into riseup-vpn, i.e as we discussed sending a SIGUSR1 or SIGUSR2 signal to the riseup-vpn process so it will reload the iptables rules. For now it works for me but it also seems like a brittle setup at the moment.

I mean, when riseup-vpn is not running, running riseup-vpn.bitmask-root will block network traffic.

Yes, this is a feature, we call it fail-close. If your vpn somehow dies we want to block all network traffic until you acknoledge you don't care going out of the vpn or the vpn gets reconnected.

I think is a good idea to add a signal to renew the firewall, I'll explore how hard is to add.

assigned to @meskio

changed milestone to %RiseupVPN 19.01

added Doing label

added Review Ready label and removed Doing label

For the record (project got renamed), this is the commit which fixed it: bitmask-vpn@933ad2ae