Adding a VPN “KillSwitch” to NetworkManager

5 September 2014

I use a VPN connection most days, and leave it unattended. Sometimes, however, it is not as stable as I would like it to be, and it disconnects, for instance because of wireless network problems. The wireless connection is brought up again, but the VPN connection stays down, causing potentially sensible data to be exchanged through an insecure channel. Bad.

How can we solve this?

In jargon, a mechanism that disconnects you from the Internet when your VPN connection disconnects, is called a “VPN Kill Switch”. There is a simple way to add one to NetworkManager, thankfully, via a dispatcher script. These scripts will be automatically called when a connection goes up or down.

You can save the following in /etc/NetworkManager/dispatcher.d/99vpnkillswitch, and give it 0755 permissions (it must be owned by root):

#!/bin/sh

IFFILE=/var/run/vpnkillswitch.iface

interface=$1 status=$2
case $status in
    vpn-up)
        # Get the physical device associated with the VPN connection
        nmcli -f type,device c | awk '$1~/^vpn$/ && $2~/[^\-][^\-]/ { print $2; }' > "${IFFILE}"
    ;;
    vpn-down)
        xargs -n 1 -a "${IFFILE}" nmcli device disconnect
    ;;
esac

You’re good to go! Try stopping your VPN interface, and your associated physical interface should be brought down too.

Advertisements

Having Cherokee playing well with RVM and Ruby on Rails

5 May 2010

Update: now it works with Rails 3.0.

Today I went down to try and have Cherokee working well with RVM. I wanted being able to switch the Ruby version with ease, in order to allow for a painless upgrading when patches are released upstream. More, I wanted to be able to create gemsets and such. Cherokee is fast as hell, and much easier to maintain than Apache.

After a little bit of fiddling, I came up with a nice and easy solution, which roughly goes like this:

  1. Create a rails user on your system. My advice is to lock it down with “passwd -l rails” after creation.
  2. If you installed any gems as root, it’s best to remove them. Then, follow the normal instructions to install rvm su-ing as the rails user. Compile and set as default a ruby instance of your choice (“rvm use –default ruby-1.8.7“, for example).
  3. Always logged in as the rails user, install any gem you may need. You can do this later, if you prefer. Test if your website starts manually, by calling script/server, or if it complains about missing gems.
  4. chmod -R your rails project to rails:rails. I keep my production sites under /var/www, but you can put ’em in /home/rails, for example.
  5. Use the standard wizard that comes with Cherokee to prepare the sources for your website.
  6. Under the “Interpreter command” text field of each of the three newly created sources, prepend the command that’s already there with (“/home/rails/spawner.sh“). For example: “/home/rails/spawner.sh example-website script/rails server -b 127.0.0.1 -e production -p 38161“. I omitted “/var/www/“, but you can put it there if you want.
  7. For each of the sources, set the user and the group the site will be served with to “rails“.
  8. Create a new file /home/rails/spawner.sh, which will do the simplest magic we need:
#!/bin/bash

if [ "$(whoami)" != "rails" ]; then
echo "Cannot run this script as root. You must sudo to the 'rails' user."
exit -1;
fi

export HOME="/home/rails"

if [[ -s "$HOME/.rvm/scripts/rvm" ]]; then
source "$HOME/.rvm/scripts/rvm";
fi

cd "/var/www/$1"
exec ${@:2}

Now, if someone of the Cherokee project would be so kind to fix that ugly “Bad gateway” error the first time you try to access a Rails site and the interpreter hasn’t been spawned yet, I’d be immensely grateful. 🙂


Setting up a shared bazaar repository

17 January 2010

Bazaar logoI found a lack of articles on the matter, so I put together this small guide that has the goal to show you – in few easy steps – how to set up a machine that acts as a central bazaar repository using bzr+ssh://. This allows a team of people to use it à la Subversion.

By the way: Bazaar is wonderful! Kudos to the devs!

Read the rest of this entry »