Kali Linux – Ensuring Traffic is Only Sent via OpenVPN

A guide on configuring Kali so all network traffic is routed over an OpenVPN connection.

Install Required Packages

apt-get install network-manager-openvpn network-manager-openvpn-gnome iptables-persistent

Import your OpenVPN config

It’s best to do this via nmcli rather than the GUI, as you get detailed error messages:

nmcli connection import type openvpn file yourprofile.ovpn

If it fails to connect, tail -f /var/log/syslog

If you see an error similar to below:

kali gnome-shell[1030]: Invalid VPN service type (cannot find authentication binary)

This is a known bug. To fix this issue, go to:

Settings > Network > YourProfile, then click the box next to password, and select all users.

Password 
CA certificate 
ca.crt 
C) Store the password onlytor this user 
@ Store the password for all users 
C) Ask for this password every time 
C) The password is not required

Configuring the Firewall

Paste the below commands into a terminal. Note that the VPN provider port and protocol may need changing.

iptables -F
iptables -X

iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#Allow VPN traffic
iptables -A OUTPUT -o tun+ -j ACCEPT

#Ensure the below is the same port and protocol as your VPN provider
iptables -A OUTPUT -p udp --dport 1198 -j ACCEPT

#Allow DNS (if your provider using DNS for round robin between server ip addresses)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

#Allow DHCP
iptables -A INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT

iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP

Save the rules to run on reboot

netfilter-persistent save
update-rc.d netfilter-persistent enable