This is a quick guide for setting up a kill switch using UFW (Uncomplicated FireWall). It is assumed you are using OpenVPN and optionally Network-Manager with network-manager-openvpn.
Before we can start we're going to need the IP address (or the IP addresses) of your VPN so that we can whitelist those later on, write them down. They are obviously going to be different for every VPN and VPNs with multiple servers, so I'll leave this up to you.
On some systems UFW is installed and enabled by default (Ubuntu, for example). Installation procedure is going to be different for every distribution of GNU/Linux, but once you've got it installed enabling it is easy (assuming you have sudo):
sudo ufw enable
Block all outgoing traffic:
sudo ufw default deny outgoing
And also block all incoming traffic:
sudo ufw default deny incoming
It is assumed you are using TUN as a network adapter (if you're unsure you most definitely are). Allow outgoing traffic on tun0:
sudo ufw allow out on tun0 from any to any
And optionally allow incoming traffic on tun0 (if you're a seeder, for example):
sudo ufw allow in on tun0 from any to any
Choose 5.A. or 5.B. depending on your VPN situation
At this point you're technically done, but with this setup you would need to disable UFW every time OpenVPN needed to connect to your VPN and then re-enable UFW when it has connected. Instead of doing that you could add the IP addresses mentioned earlier as exceptions to UFW.
To add a single IP:
sudo ufw allow out from any to 123.123.123.123
To add a range, use a mask:
sudo ufw allow out from any to 123.123.123.0/24
Go to step 6.
If you didn't follow 5.A, and your VPN service changes/rotates IP addresses you will at least need to allow OpenVPN to somehow communicate to the outside:
sudo ufw allow out 1198/udp
sudo ufw allow in 1198/udp
Here, 1198 is the port number that OpenVPN uses, but be careful as default is actually 1194, you might have to check your VPN configuration files (the line that begins with remote {server} {port} ... or a line with rport {port}) for the actual port number used. Might also need to add the same rules for tcp.
This will allow you to at least disable ufw, connect to your VPN, and then enable ufw again to turn the kill switch back on. You will, however, have to do this every time you want to connect or if you're disconnected, which isn't entirely desirable.
By default, OpenVPN will use a random port when connecting to the VPN.
Replace the nobind option from your VPN configuration files with bind to force OpenVPN to use the desired port (1194 by default), and add the desired port (for example port 1198). But beware; this won't work on a system with multiple VPN clients on the same host, e.g. it will only work if you connect to one VPN at a time (unless you specifically bind different ports for different VPNs, of course, but you need to be aware of this).
Example; replace nobind in a /etc/openvpn/client/{name}.conf with:
local 0.0.0.0
lport 1198
bind
The local option is required (trivia: because "the C API" - bind() always takes an address and a port number, so you can't just bind to an address alone.)
There's a high possibility openvpn will try to resolve a host address, in that case add a rule for DNS:
sudo ufw allow out 53
sudo ufw allow in 53
sudo ufw status
And test your internet connection!
Congratulations, you've configured a VPN Kill switch on your GNU/Linux system!
Thanks to:
- Me!
- formeroosid