I have a torrentbox on which I have openvpn running using .ovpn>.conf files from my VPN provider.

I would like to set up a killswitch so that if the VPN fails, my torrenting will not be exposed to the wider world. I am able to ssh in as I used iptables to exclude the ssh port from the vpn connection.

I was looking at the instructions here to set up the killswitch: https://www.comparitech.com/blog/vpn-privacy/how-to-make-a-vpn-kill-switch-in-linux-with-ufw/

However, there are two issues:

  1. It says to check the conf file for the public IP address of the VPN. In the author’s example there is only one IP address listed. In my .ovpn>.conf file there are two addresses with each one listing several ports. The addresses themselves nearly the exact same; only the final number is different. Which one do I pick? Is this just so in case one fails there are backups available?

  2. It is a little strange, but the IP addresses listed in the .ovpn>.conf file for my current connection do not match the IP address that I currently have through the VPN (I ran curl https://ipinfo.io/ip to check). Is this normal?

Thank you in advance for any help you can provide.

  • manned_meatball
    1·
    2 years ago

    disclaimer: I don’t have that much experience setting up a VPN, so if someone can confirm this that’d be great. But here’s my understanding:

    1. The addresses listed are the ones your VPN provider gives you to establish a connection between your machine and the VPN. Afaik they’re just for redundancy and only one will be used at any time, but you might want to whitelist both in your firewall rules. In fact, if your VPN has a known block of IPs belonging to them that might be used for this step, I’d whitelist (allow) all this range to simplify future changes, as they are leased to the same entity (your provider). You can always overview and modify these firewall rules anyways in case you change providers.

    2. The public addresses you connect as a VPN customer may not the same IP addresses the service uses to connect to other websites. I believe a VPN service might want to do this for both customer privacy and load balancing. There’s also the concept of multi-hop VPN, which creates a double tunneling in your connection. I’m not sure if multi-hop is necessary for this IP change to happen, but it illustrates how these two IPs can be different.

    Edit: on second thought, IP address change is exactly what routers already do (NAT), so in fact there’s no need to add hops to have changes in IP address. I figure a VPN server would be able to emulate this behavior and forward the encrypted packet to an interface with a different public IP address.