ONLY VPN traffic on F20 wireless interface?

[Garry T. Williams]

On 1-5-14 12:00:37 Steve Snyder wrote:
> How can I ensure that in Fedora 20 my wireless interface is *only*
> used for VPN traffic?
>
> After the initial connection to the access point I want to guarantee
> that no traffic passes through the interface other than through the
> OpenVPN tunnel.

You want delete any existing default route that is not via tun0 and
add a default route for that interface.

Most VPN servers are configured to send routes for just that purpose.
But yours may not be configured that way.

Connect to your server and look at your route table:

    $ netstat -nr

> Ideally, I'd like to be able to ensure this from a terminal window,
> but use of a GUI interface is OK if that is what is needed to ensure
> no leakage of unencrypted data.

NewtworkManager provides a call-back for things like this.  Place an
executable file in the /etc/NetworkManager/dispatcher.d directory that
does something like this:

    #!/bin/sh
    case $2 in
      "vpn-up")
	/usr/sbin/ip route add default dev $1
	;;
    esac

After connecting check your route table to verify that traffic is only
routed over the VPN tunnel.

> Can someone point me to a guide that explains how to do this?

    $ man NetworkManager
    ...
       NetworkManager will execute scripts in the
       /etc/NetworkManager/dispatcher.d directory in alphabetical order in
       response to network events. Each script should be a regular executable
       file, owned by root. Furthermore, it must not be writable by group or
       other, and not setuid.

       Each script receives two arguments, the first being the interface name
       of the device just activated, and second an action.
    ...
       vpn-up
           A VPN connection has been activated. The environment contains the
           connection UUID in the variable CONNECTION_UUID.

-- 
Garry T. Williams