DNS leak prevention
This commit is contained in:
52
NetworkManager/90-nft-wg.sh
Normal file
52
NetworkManager/90-nft-wg.sh
Normal file
@@ -0,0 +1,52 @@
|
||||
#!/bin/bash
|
||||
# /etc/NetworkManager/dispatcher.d/90-nft-wg
|
||||
# Automatically toggle DNS leak protection for wireguard
|
||||
|
||||
INTERFACE="$1"
|
||||
ACTION="$2"
|
||||
|
||||
NFT_BIN="$(command -v nft || true)"
|
||||
FAMILY="inet"
|
||||
TABLE="filter"
|
||||
CHAIN="output"
|
||||
|
||||
log() { logger -t nft-wg "$*"; }
|
||||
|
||||
|
||||
add_dns_protection() {
|
||||
$NFT_BIN add rule inet filter output udp dport 53 oifname "!= \"$INTERFACE\"" drop\; 2>/tmp/nft-wg-add.err
|
||||
if [ $? -ne 0 ]; then
|
||||
log "failed to add udp rule for $INTERFACE: $(cat /tmp/nft-wg-add.err)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
$NFT_BIN add rule inet filter output tcp dport 53 oifname "!= \"$INTERFACE\"" drop\; 2>/tmp/nft-wg-add.err
|
||||
if [ $? -ne 0 ]; then
|
||||
log "failed to add tcp rule for $INTERFACE: $(cat /tmp/nft-wg-add.err)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
rm -f /tmp/nft-wg-add.err
|
||||
log "Added DNS leak protection for $INTERFACE"
|
||||
}
|
||||
|
||||
remove_dns_protection() {
|
||||
$NFT_BIN --handle --numeric list chain inet filter output \
|
||||
| awk -v iface="$INTERFACE" '$0 ~ iface && /drop/ {print $NF}' \
|
||||
| xargs -r -I {} sudo $NFT_BIN delete rule inet filter output handle {}
|
||||
log "Removed DNS leak protection for $INTERFACE"
|
||||
}
|
||||
|
||||
# Only run for WireGuard interfaces (start with "wg-")
|
||||
if [[ "$INTERFACE" == wg-* ]]; then
|
||||
case "$ACTION" in
|
||||
up)
|
||||
add_dns_protection
|
||||
;;
|
||||
down)
|
||||
remove_dns_protection
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
exit 0
|
||||
12
README.md
12
README.md
@@ -31,3 +31,15 @@ move all the files in $1 subdirectories to $1.
|
||||
script to backup firefox config directory and restore the latest backup
|
||||
adapt the hostnames and paths to what you need, not made to be easily configured with environment variables.
|
||||
**Careful**, firefox config folder includes all your profiles, including their cookies and localstorage (access tokens of your accounts can be there).
|
||||
|
||||
|
||||
## NetworkManager
|
||||
NetworkManager related scripts.
|
||||
These scripts need to be moved in /etc/NetworkManager/dispatcher.d/ and must be executable
|
||||
|
||||
### 90-nft-wg-sh
|
||||
Automatically toggle DNS leak protection for wireguard connections with nftables.
|
||||
Adds tcp/udp rules to block outgoing traffic to dns port (53) if the outgoing interface isn't the wireguard connection.
|
||||
It assumes wireguard connection names start with "wg-"
|
||||
|
||||
You can check for DNS leaks with [this website](https://www.dnsleaktest.com/)
|
||||
Reference in New Issue
Block a user