Re: Best practice for managing default routes over only VPN connections?

From: Chris Laprise <tasket openmailbox org>
To: Thomas Haller <thaller redhat com>, Paul Swanson <psw protonmail com>, "networkmanager-list gnome org" <networkmanager-list gnome org>
Subject: Re: Best practice for managing default routes over only VPN connections?
Date: Mon, 7 Nov 2016 12:35:03 -0500

On 11/07/2016 06:57 AM, Thomas Haller wrote:

Another thing is ensuring that all traffic is routed via the VPN (that
is, controlling the configured routes). That is not supported by NM
directly (besize that you can manually configure your underlying
connection to have no default-route and only give a default-route to
the VPN connection). See for example
https://bugzilla.gnome.org/show_bug.cgi?id=749376 .

FWIW... If the OP is inquiring about a 'fail closed' configuration thatcan prevent any traffic leaking from the tunnel, then he may want tolook at Qubes OS where users can define a 'Proxy VM' to control alltraffic in this way. This means the VPN is running inside a forwarding*router* and preventing leaks becomes a much simpler matter of stoppingany forwarding to clearnet NICs.

https://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html

https://www.qubes-os.org/doc/vpn/

You can get the same effect with a dedicated physical router, but thenyou'd have to carry that around (and router devices get exploited a lotthese days).

Chris

Follow-Ups:
- Re: Best practice for managing default routes over only VPN connections?
  - From: Stuart D. Gathman

References:
- Best practice for managing default routes over only VPN connections?
  - From: Paul Swanson
- Re: Best practice for managing default routes over only VPN connections?
  - From: Thomas Haller

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]