Re: three privacy questions

[Dan Williams <dcbw redhat com>]

On Sat, 2008-12-20 at 08:16 +0800, Etienne Zind wrote:
> 2008/12/20 Dan Williams <dcbw redhat com>:
> >> The same should happen when VPN connection drops. Now I am using VPN
> >> connection on a public WiFi and if VPN drops, there is fallback to
> >> insecure open Wifi. If I do not notice that, I am using insecure
> >> network, which is really bad...
> >
> > If the VPN is tied to the device connection, the VPN would get
> > re-started automatically if that 'Connect automatically' option was
> > checked.  I don't think there's yet a good way to block internet traffic
> > until the VPN is up (though some iptables magic might allow that, but it
> > would be tricky), but if we can't do that, some traffic could escape
> > outside the VPN while it was down.  I don't think we should tear down
> > the *entire* connection, because it takes a long time to reconnect a
> > device connection in some cases.  So the ideal solution here would be
> > iptables blockage of any traffic out of the device (except VPN traffic
> > of course) until the VPN was back up.
> 
> As iproute is already heavily used in NM, the blocking might be done
> with `ip rule` or `ip route` ath can do `reject`,`unreachable` and
> `prohibits` simulation.
> 
> $ ip rule from all unreachable
> 
> or
> 
> $ ip route add unreachable default
> 
> Should do the trick

Interesting.  But it just occurred to me that we'd of course have to
punch through so the VPN itself could re-connect, which might well be
VPN-method specific.  OpenVPN can do both UDP or TCP, and the port # is
specific to the server.  Thus, we'd have to know quite a bit about the
VPN implementation to lock down the TCP/IP stack to only allow
connections to the VPN server...

Dan