Written by: Bogdan Patru
First off, why would you even need a kill-switch, to begin with? Why the hassle in the first place?
Well, just think of it this way. Don’t you lock your home’s front door when you leave for groceries? You do that because you don’t want no homie to come in and steal your 70-inch 4k, am I right? Need to keep the vermin away.
A kill-switch works the same way. It acts like a digital key, a security system with a countermeasure that encloses your personal information and internet traffic away from prying eyes.
In broader terms, this is known as a firewall. Every device has an inbuilt firewall protecting its core. When we’re talking about VPNs, the firewall or the kill-switch prevents you from accessing the internet if the VPN isn’t functional.
As soon as the VPN stops out of the blue, your internet connection will be cut off instantly, avoiding any unencrypted traffic from being sent to and from your device.
In this sense, an OpenVPN kill-switch is the best in terms of security because the encryption countermeasures of this protocols are currently ranked as the very best on the market.
Now, let’s see how you can set up an OpenVPN kill-switch.
What we want to do is create a certain security tool that acts as a shield, preventing any traffic leaks, including DNS ones, outside the VPN network. In other words, if your online security provider stops for any reason, you’ll be denied access to the internet.
As such, if and when the VPN encounters an issue, your personal data and anonymity won’t be put at risk. The only gateway between you and the digital plane-scape will be severed instantly through the use of the kill-switch.
In order to find out the IP address of your VPN server, you can do so either by using the ping or the host command with the hostname provided by your VPN provider. It should be included in the configuration files for OpenVPN.
In order to find out these two key components, you have to use the route command. You will need root or sudo access on a Linux OS.
All you have to do is to change the tun device to -dev tun0 in the client configuration file. Then, change the hostnames to IP addresses for the -remote option in the same configuration file.
After you’ve finished making these modifications on the .ovpn configuration file, you’re ready to finally set up the OpenVPN kill-switch.
We’ll talk about how you can do this on GNU/Linux, Mac OS X, and Windows platforms.
In order to create a VPN firewall on this operating system, you will have to use a command line tool called pf. However, you will have to get sudo or root access in order to perform the underlying operations.
First, you have to edit the configuration of pf at /etc/pf.conf. This will be done in a terminal window:
# nano /etc/pf.conf
To block out any other internet connection other than the one going through the VPN at a particular port, you will have to work your way around the /etc/pf.conf command line and add the following lines:
block drop all
pass on lo0
pass on utu0
pass out proto udp from any to (insert IP address of your VPN server) port (add your port)
Now save and exit.
In order for the changes to be complete, you will have to import the newly added rules:
# pfctl – f /etc/pf.conf
Now, all you have to do is turn on the firewall:
# pfctl -e
Now that the pf is enabled, the kill-switch will kick in. The VPN firewall will keep all your internet connections going through the encryption that the security provider has in place.
Other than that, it will cut off any and all incoming and outgoing unencrypted traffic connections. Except for the netblock of the VPN server you mentioned in the previous steps, no other internet connection will be possible.
On Linus operating systems, the process of creating your own VPN firewall can go on of two ways:
Let’s see how to accomplish the task using both iptables and ufw
Before going forward with the process, you would do better to back up your iptables ruleset if anything goes wrong and you end up screwing around with the settings.
Here’s a predefined iptables ruleset so that you won’t have to wrack your brains trying to figure out what’s what.
To make things clearer, I used AzireVPN’s Swedish server IPv4 netblock viz. 220.127.116.11/27.
For the sake of utility and efficiency, just save the iptables rules from above, naming it iptables-ks.sh. You can then execute them whenever you want to.
What you just did is disallow any ruleset other than the ones related to your particular VPN netblock from taking control and using any outgoing internet connections.
Then, write the following lines in a terminal with sudo access:
# chmod +x iptables-ks.sh
This is it. Now, your kill-switch is active and will prevent any non-VPN-encrypted connections from running. However, keep in mind that these settings are only temporary and will actually revert after a reboot.
If you want to keep them intact, you will have to install the iptables-persistent package for your distribution. Or you can set these settings to run on boot by adding the following line at the end of /etc/crontab:
@reboot root /path/iptables-ks.sh
First things first, you should install ufw like so:
# apt-get install ufw
Then, you will have to compile the ruleset if I didn’t already provide one for you, which I did. Here it is:
Keep in mind that it’s built based on the same Swedish server of AzireVPN, using that particular port. You just have to change the IP address and the protocol to suit that of your preferred online security provider.
Then, through the terminal, with sudo access, write the following:
# chmod +x ufw-ks.sh
Well done, your VPN kill-switch is now activated and ready to go.
Keep in mind that the aforementioned requirements I told you about will only matter when talking about Linux and Mac OS X operating systems. For Windows, you can disregard them completely.
The best solution would be to use routes. Therefore, you should delete the default route when the OpenVPN connection is established.
In order to do that, you will need to run a command prompt with admin rights. Write the following:
route delete 0.0.0.0
Now, your system will have no other internet routes to use other than the one your VPN provides. So, in the case where that route becomes inaccessible, everything will be cut off.
Your OS will remain in a state of stasis until it can access that route again. The one disadvantage of this solution is that it’s not persistent. If the router reboots or the adapter is disabled for whatever reason, the settings will be taken to a default state.
For example, if you’re using an unstable Wi-Fi connection, then it’s not exactly a very reliable idea to set up an OpenVPN kill-switch using this method.