{"id":13826230,"url":"https://github.com/wknapik/vpnfailsafe","last_synced_at":"2025-12-30T00:32:29.368Z","repository":{"id":60005172,"uuid":"70251426","full_name":"wknapik/vpnfailsafe","owner":"wknapik","description":"IP leak prevention for OpenVPN","archived":false,"fork":false,"pushed_at":"2018-12-17T02:52:07.000Z","size":31,"stargazers_count":151,"open_issues_count":8,"forks_count":18,"subscribers_count":10,"default_branch":"master","last_synced_at":"2024-08-04T09:05:03.237Z","etag":null,"topics":["dns-leak","down-script","failsafe","firewall","firewall-rules","ip-leak","iptables","iptables-rules","killswitch","leak","linux","openvpn","openvpn-client","privacy","resolv-conf","routing","up-script","vpn"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wknapik.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-10-07T13:54:21.000Z","updated_at":"2024-07-30T04:52:13.000Z","dependencies_parsed_at":"2022-09-25T14:21:07.338Z","dependency_job_id":null,"html_url":"https://github.com/wknapik/vpnfailsafe","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wknapik%2Fvpnfailsafe","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wknapik%2Fvpnfailsafe/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wknapik%2Fvpnfailsafe/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wknapik%2Fvpnfailsafe/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wknapik","download_url":"https://codeload.github.com/wknapik/vpnfailsafe/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225476384,"owners_count":17480215,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns-leak","down-script","failsafe","firewall","firewall-rules","ip-leak","iptables","iptables-rules","killswitch","leak","linux","openvpn","openvpn-client","privacy","resolv-conf","routing","up-script","vpn"],"created_at":"2024-08-04T09:01:34.214Z","updated_at":"2025-12-30T00:32:29.341Z","avatar_url":"https://github.com/wknapik.png","language":"Shell","funding_links":[],"categories":["\u003ca id=\"d62a971d37c69db9f3b9187318c3921a\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"8ea8f890cf767c3801b5e7951fca3570\"\u003e\u003c/a\u003e公网访问局域网"],"readme":"# What is vpnfailsafe ?\n\n`vpnfailsafe` prevents a VPN user's ISP-assigned IP address from being exposed\non the internet, both while the VPN connection is active and when it goes down.\n\n`vpnfailsafe` doesn't affect traffic to/from private networks, or disrupt existing\nfirewall rules beyond its intended function.\n\n# How does it work ?\n\n`vpnfailsafe` ensures that all traffic to/from the internet goes through the VPN.\nIt is meant to be executed by OpenVPN when the tunnel is established (--up), or\ntorn down (--down). \n\nOn --up:\n* All configured VPN server domains are resolved and saved in /etc/hosts.\n* Routes are set up, so that all traffic to the internet goes over the tunnel\n  and networks exposed by the VPN provider are accessible.\n* /etc/resolv.conf is updated, so only the DNS servers pushed by the VPN server\n  are used.\n* iptables rules are inserted at the beginning of INPUT, OUTPUT and FORWARD\n  chains to ensure that the only traffic to/from the internet is between the\n  VPN client and the VPN server.\n\nOn --down:\n* The /etc/hosts entries for VPN servers remain in place, so the VPN connection\n  can be re-established without allowing traffic to DNS servers outside the VPN.\n* Previously added routes are removed.\n* Previous /etc/resolv.conf is restored.\n* Firewall rules remain in place, allowing only the re-establishment of the vpn\n  tunnel.\n\n# How do I install/use it ?\n\nSave vpnfailsafe\u0026#46;sh in /etc/openvpn, make it executable and add the\nfollowing lines to /etc/openvpn/\\\u003cyour_provider\\\u003e.conf:\n\n```\nscript-security 2\nup /etc/openvpn/vpnfailsafe.sh\ndown /etc/openvpn/vpnfailsafe.sh\n```\n\nThat's it.\n\nSince `vpnfailsafe` contains the functionality of the popular\nupdate-resolv-conf\u0026#46;sh script, the two don't need to be combined.\n\nA complete configuration example is included as\n[extras/example.conf](extras/example.conf).\n\nArch Linux users may choose to install the\n[vpnfailsafe-git](https://aur.archlinux.org/packages/vpnfailsafe-git/) package\nfrom AUR instead.\n\n# What are the requirements/assumptions/limitations ?\n\n`vpnfailsafe` works only on Linux.\n\nDependencies are minimal (listed in the [PKGBUILD](PKGBUILD) file). Of note is\nthe openresolv requirement. There are at least two different, popular packages\nproviding the resolvconf binary, which are not compatible (one supports the\n`-x` switch used by `vpnfailsafe` and the other does not). On distributions\nwhere multiple implementations are available, openresolv should be chosen.\n\nThe only assumption is that the VPN server will push at least one DNS server to\nthe client.\n\n`vpnfailsafe` does not handle [ipv6](https://en.wikipedia.org/wiki/IPv6) at\nall. To prevent leaks, ipv6 should be disabled and/or blocked. See:\n[extras/disable_ipv6.conf](extras/disable_ipv6.conf) for an example of a sysctl\nconfig file that disables it and [extras/block_ipv6.sh](extras/block_ipv6.sh)\nfor firewall rules to block it.\n\n`vpnfailsafe` has been tested with all device types and topologies supported by\nOpenVPN.\n\n# I'm getting an \"RTNETLINK answers: Permission denied\" error.\n\nThis usually means that OpenVPN was executed without sufficient privileges. But\nif the line is followed by \"Linux ip -6 addr add failed: external program\nexited with error status: 2\", then it probably means, that ipv6 is disabled on\nthe system, but the VPN server is pushing ipv6-related options and the client\nfails trying to run `ip -6' to honor them. The following two options can be\nadded to the client config to make it ignore the ipv6-related configuration:\n```\npull-filter ignore \"ifconfig-ipv6 \"\npull-filter ignore \"route-ipv6 \"\n```\n(included in [extras/example.conf](extras/example.conf))\n\n# I'm getting an \"RTNETLINK answers: File exists\" error every time I connect.\n\nThose errors can be ignored safely. They appear when OpenVPN tries to set up a\nroute, that's already been created by `vpnfailsafe`. Adding the `route-noexec`\noption will tell OpenVPN to leave routing to `vpnfailsafe` and prevent those\nerrors from appearing.\n\n# How do I make OpenVPN reconnect when the underlying network connection is re-established ?\n\nSend the HUP signal to OpenVPN upon reconnection.\n\nDhcpcd users would use dhcpcd-run-hooks, NetworkManager users would use a\ndispatcher script (e.g.: [extras/pkill_hup_openvpn](extras/pkill_hup_openvpn)).\n\n# How do I restore my system to the state from before running vpnfailsafe ?\n\n`vpnfailsafe` will revert all changes when the tunnel is closed, except for the\nfirewall rules. You can restore those using the init script that set the\niptables rules on boot, or by using iptables-restore, or by otherwise removing\nthe VPNFAILSAFE_INPUT, VPNFAILSAFE_OUTPUT and VPNFAILSAFE_FORWARD chains.\n\nThe /etc/hosts entries may eventually become stale and also require removal.\n\nThe [extras/vpnfailsafe_reset.sh](extras/vpnfailsafe_reset.sh) script can be\nused to achieve that.\n\n# Will vpnfailsafe protect me against DNS leaks ?\n\nYes. See \"How does it work ?\" for more details.\n\nThat being said, if your life, job, or whatever you care about depend on your\nIP not leaking, consider that this script has been tested by only a handful of\npeople. YMMV.\n\n# Will vpnfailsafe protect me against all forms of IP leaks ?\n\nNo. Application level leaks can still happen, via protocols like WebRTC. The\nuser can also announce their identity to the world and no script will stop\nthem.\n\n# Do I still need to configure a firewall ?\n\nYes. `vpnfailsafe` limits what kind of traffic is allowed, but only to achieve\nits goals. Otherwise everything is passed through to pre-existing firewall\nrules.\n\nAn example of a basic firewall is included as\n[extras/basic_firewall.sh](extras/basic_firewall.sh).\n\n# Aren't there already scripts that do all that ?\n\nOne would think so, but then one would be wrong.\n\nWhat is out there are mostly \"applications\", with non-optional GUIs and\nthousands of lines of code behind them, often VPN-provider specific.\n\n# What else can I do to improve my security/privacy ?\n\nAs far, as OpenVPN goes - you can check the [hardening\nsection](https://openvpn.net/index.php/open-source/documentation/howto.html#security)\nof the official documentation.\n\nThe steps necessary to run OpenVPN as an [unprivileged\nuser](https://community.openvpn.net/openvpn/wiki/UnprivilegedUser) can be run\nautomatically via the [openvpn-unroot\nscript](https://github.com/wknapik/openvpn-unroot).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwknapik%2Fvpnfailsafe","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwknapik%2Fvpnfailsafe","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwknapik%2Fvpnfailsafe/lists"}