I'm trying to make a kill switch for my pi to only allow traffic through the VPN. I made the changes below to iptables and disabled IPv6 in sysctl.conf. This is not my area of expertise so I'm hoping the answer is glaringly obvious to someone else.
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [13:988]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 502 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 502 -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
I tested this and it seemed to work how I expected. No traffic unless it was going through my tunnel. After I enabled netfilter-persistent to save the new rules on reboot, I got locked out of my pi. After I cycled the power, I was able to get back in, and my new rules look like theyre there when I check, but the VPN tunnel is not working altogether even though the service is running and enabled. And I am now able to send and receive packets without the tunnel.
I can't tell if its something to do with my openvpn.conf, or something else. But it's as if the new rules and the vpn aren't working. I've tried disabling netfilter-persistent, changing the rules back, and restarting the openvpn service, no luck.