Running a VPN without a Kill switch is not recommended. While most VPN providers out there implement their own Kill switch services - we, the minimalists, the ones who like to create custom VPN servers, are often left to wonder for solutions as many of the official packages do not implement such a thing.
VPN connections drop at any time and sometimes drop quite often, a time when your real ip address, dns and other sensitive data is free to leak outside of the tunnel. By using a VPN Kill Switch you basically kill any other traffic outside of the tunnel. We have a more extensive article on this subject if you want to find more about how a Kill Switch works.
This repo is still a work in progress and I welcome everyone to participate with ideas, feedback or code.
Shameless plug
This project is part of the amhoba-vpn project. amhoba-vpn allows you to create VPN servers hosted on your own VM server. For a small fee our service creates the server, installs the desired VPN service and generates client config so you can connect. In just 5 minutes you can have your own, private and secure, VPN server that has no logs, no backdoors and is powered by tested, open-source software.
The Linux Kill Switch tries to guess as many info as possible while allowing you to overwrite these params.
- After downloading the script you need to make it executable:
chmod +x /full/path/to/linux-killswitch.sh - The script is ready to run without any params only if you're running an OpenVPN instance which creates a
tun0interface or you're running a WireGuard instance which creates awg0interface - If the above is not the case you can use the param
-iand specify the VPN interface - The script also tries to guess the default public interface. If it fails to detect it you can use the param
-dto overwrite it - The script uses a remote service to detect your IP address (evidently: this script should be executed after connecting to VPN) and save it as the remote in order to whitelist the communication with the VPN server when applying the Kill Switch. If you need to overwrite it use the
-rparameter. - The script blocks waiting for your exit signal (CTRL+C) which may be undesirable in
up/down(OpenVPN) orPostUp/PostDown(WireGuard) so I added another flag-b falsewhich prevents the script from waiting for an exit signal. When using this flag the script will create the firewall lock and exit so you are responsible for unlocking by callingsudo /full/path/to/linux-killswitch.sh unlock(using thePostUp/PostDownandup/downdirectives is NOT recommended - read further down)
Full example (with all params) of running this kill switch:
sudo /full/path/to/linux-killswitch.sh -i tun0 -r 123.213.132.231 -d eth0
Keep in mind that iptables is used to setup the firewall. Before setting up the switch we backup your existing iptables rules to a local file, next to this script. If you're adding new rules to iptables while this script is running, they will be lost once the script exits since it performs a full restore from backup.
In case something unexpected takes place and you're stuck with a non-working internet due to iptables rules that failed to be removed you can use the sudo /full/path/to/linux-killswitch.sh unlock command and attempt to delete them again.
MacOS usage is exactly as Linux so refer to that for the available commands and flags.
If you're using Tunnelblick to connect to a VPN keep in mind that it has a good Kill Switch included and I suggest you give it a try.
Embedding the Kill Switch as part of the up/down directives in OpenVPN is tempting but not recommended. It works but the down script might get triggered when the VPN disconnects and that defeats the purpose of a Kill Switch. Doing it this way you leave OpenVPN as the sole guvernor of this process and that's exactly what we're trying to avoid.
One way of doing it would be to just specify an up directive and bring it down yourself manually once you decide to disconnect by executing: sudo /full/path/to/linux-killswitch.sh unlock
Same goes for WireGuard as with OpenVPN in regards to the PostUp/PostDown directives.