On Sat, 2008-12-20 at 08:16 +0800, Etienne Zind wrote: > 2008/12/20 Dan Williams <[email protected]>: > >> The same should happen when VPN connection drops. Now I am using VPN > >> connection on a public WiFi and if VPN drops, there is fallback to > >> insecure open Wifi. If I do not notice that, I am using insecure > >> network, which is really bad... > > > > If the VPN is tied to the device connection, the VPN would get > > re-started automatically if that 'Connect automatically' option was > > checked. I don't think there's yet a good way to block internet traffic > > until the VPN is up (though some iptables magic might allow that, but it > > would be tricky), but if we can't do that, some traffic could escape > > outside the VPN while it was down. I don't think we should tear down > > the *entire* connection, because it takes a long time to reconnect a > > device connection in some cases. So the ideal solution here would be > > iptables blockage of any traffic out of the device (except VPN traffic > > of course) until the VPN was back up. > > As iproute is already heavily used in NM, the blocking might be done > with `ip rule` or `ip route` ath can do `reject`,`unreachable` and > `prohibits` simulation. > > $ ip rule from all unreachable > > or > > $ ip route add unreachable default > > Should do the trick
Interesting. But it just occurred to me that we'd of course have to punch through so the VPN itself could re-connect, which might well be VPN-method specific. OpenVPN can do both UDP or TCP, and the port # is specific to the server. Thus, we'd have to know quite a bit about the VPN implementation to lock down the TCP/IP stack to only allow connections to the VPN server... Dan _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
