Create a reliable VPN kill switch on a Linux PC

 

Many people are concerned that if their VPN connection fails their security and anonymity will be sacrificed when the traffic then flows over their local unencrypted network.

​

There are several software "VPN Kill Switches" available. however they all suffer from the same basic problem. Since the software has to detect the VPN drop and then shut off the traffic you are dependent on the software not failing at the worst possible moment.  If you're serious enough to where you worry about a data breach due to a VPN failure then there is really no way you can fully trust a software kill switch.

​

The only reliable way to prevent non VPN traffic from flowing if the VPN drops is to have it blocked in advance.  The best way to do this is at your router. Simply setting your firewall to block all traffic except DNS and a selected VPN port (not 80 or 443) accomplishes this in a 100% fool proof manner.  Serious VPN providers give you several port option to connect through.  For example, if your VPN works on UDP port 5632 just set your VPN to connect on port 5632 via UDP. The allow UDP port 5632 on your router.

​

In some cases you can't bring your router with you, as in traveling and using a public connection. If you are serious about privacy and security you are likely already using a Linux based PC.  In which case, emulating the firewall function of your router on the Linux PC is pretty trivial and 100% reliable.

​

This solution is not fancy. But it is simple, reliable and absolutely free.

​

Instructions:

​

Install UFW (Uncomplicated Firewall) if not installed.

sudo apt-get install ufw -y

Connect to the VPN and type the following into your terminal to ensure that your VPN connects to tun0

sudo ifconfig

 

make sure it shows tun0. If it shows a different tun port use it instead of tun0 below.

Now disconnect from the VPN and copy and paste this into your text editor, save it as killon.sh in your home folder:

#!/bin/bash

sudo ufw reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0 from any to any
sudo ufw enable

This script resets all your ufw rules, and then changes them to only allow traffic to go in or out on tun0.  Which blocks all traffic unless it's going over the VPN

The script below changes it back to normal

#!/bin/bash

sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

save it as killoff.sh

Make these two scripts executable.

sudo chmod +x killon.sh killoff.sh

Connect to your VPN, and then execute the first script by typing into your terminal:

sudo ./killon.sh

This will enable the firewall rule. Test it by disabling the VPN and make sure you can't get to any web sites on your base connection.  As long as you remember to run killon.sh after connecting to your VPN you are protected from any VPN drop.

To go back to normal enter the following in terminal

sudo ./killoff.sh

​

If you disconnect the VPN or it drops you will have to run killoff.sh to allow the VPN to connect again and then enable the switch by using killon.sh.