Written by: Bogdan Patru
A killswitch in an advanced feature offered by premium VPN providers. With a kill switch, you can prevent that your real IP address and location will ever be revealed even if for some reason your VPN connection drops.
A killswitch is, in my opinion, an essential feature and is an absolute must-have feature for any VPN. Unfortunately, not many VPNs have this feature. For example, no free VPN has a kill switch as far as I know.
Below you will learn what a VPN killswitch actually does and why it’s so important to use one regardless of what you’re doing on the internet with a VPN.
This feature could be extremely important to a political activist in a country with undemocratic laws.
Internet accounts may always be closely monitored by the authorities but they won’t know who you are and where you’re located.
It only takes just 1 second for your regular connection to come back online and the ISP or even government will have already several red flags going up about the activities, which then they will have to report to the authorities.
If your VPN connection gets interrupted and your normal connection takes over even for just 1 second, the authorities will immediately know your real location with absolute precision. It will all be over just because of a connection drop of 1 second.
A killswitch would have prevented this because it would have blocked your regular connection from taking over when the VPN connection failed.
Almost all VPN connections will eventually experience some drops. Even the best VPNs only have a 99% uptime guarantee. This means at some point in time your VPN connection will drop. It just happens. And it will happen to you too!
This is why you absolutely need a killswitch.
You may be asking now why I’m repeating myself so much about the necessity of a killswitch. Pretty much all VPNs have a killswitch so why do I need to pay so much attention to this, right?
In fact, most VPNs do not actually have a killswitch.
As mentioned above, not many VPNs have a killswitch. Some premium and top-ranked VPN platforms that have this feature are NordVPN, ExpressVPN and Cyberghost.
From these I recommend NordVPN because beside the killswitch it has a true zero-logs policy, meaning that it keeps absolutely no records whatsoever about user activity (unlike ExpressVPN, for example).
NordVPN also allows you to use your VPN connection (and killswitch feature) with particular applications or websites only. For example, you can make it so that your NordVPN connection only runs for torrent websites and applications while anything else runs on your normal connection. This is also a feature usually not available at most other VPN platforms.
So check out NordVPN if you want to get some of the fastest VPN servers and one of the most advanced VPN killswitch features available on the internet.
What we want to do is create a certain security tool that acts as a shield, preventing any traffic leaks, including DNS ones, outside the VPN network. In other words, if your online security provider stops for any reason, you’ll be denied access to the internet.
As such, if and when the VPN encounters an issue, your personal data and privacy won’t be put at risk. The only gateway between you and the digital plane-scape will be severed instantly through the use of the killswitch.
1. The IP address of the VPN gateway that you want to create a killswitch for
In order to find out the IP address of your VPN server, you can do so either by using the ping or the host command with the hostname provided by your VPN provider. It should be included in the configuration files for OpenVPN.
2. The name of the network interface that’s connected to your default gateway as well as the subnet of the local network
In order to find out these two key components, you have to use the route command. You will need root or sudo access on a Linux OS.
A number of changes in the .ovpn configuration file.
All you have to do is to change the tun device to -dev tun0 in the client configuration file. Then, change the hostnames to IP addresses for the -remote option in the same configuration file.
After you’ve finished making these modifications on the .ovpn configuration file, you’re ready to finally set up the OpenVPN killswitch.
We’ll talk about how you can do this on GNU/Linux, Mac OS X, and Windows platforms.
In order to create a VPN firewall on this operating system, you will have to use a command line tool called pf. However, you will have to get sudo or root access in order to perform the underlying operations.
First, you have to edit the configuration of pf at /etc/pf.conf. This will be done in a terminal window:
# nano /etc/pf.conf
To block out any other internet connection other than the one going through the VPN at a particular port, you will have to work your way around the /etc/pf.conf command line and add the following lines:
block drop all
pass on lo0
pass on utu0
pass out proto udp from any to (insert IP address of your VPN server) port (add your port)
Now save and exit.
In order for the changes to be complete, you will have to import the newly added rules:
# pfctl – f /etc/pf.conf
Now, all you have to do is turn on the firewall:
# pfctl -e
Now that the pf is enabled, the killswitch will kick in. The VPN firewall will keep all your internet connections going through the encryption that the security provider has in place.
Other than that, it will cut off any and all incoming and outgoing unencrypted traffic connections. Except for the netblock of the VPN server you mentioned in the previous steps, no other internet connection will be possible.
On Linus operating systems, the process of creating your own VPN firewall can go on of two ways:
Let’s see how to accomplish the task using both iptables and ufw
VPN killswitch using iptables
Before going forward with the process, you would do better to back up your iptables ruleset if anything goes wrong and you end up screwing around with the settings.
Here’s a predefined iptables ruleset so that you won’t have to wrack your brains trying to figure out what’s what.
To make things clearer, I used AzireVPN’s Swedish server IPv4 netblock viz. 184.108.40.206/27.
For the sake of utility and efficiency, just save the iptables rules from above, naming it iptables-ks.sh. You can then execute them whenever you want to.
What you just did is disallow any ruleset other than the ones related to your particular VPN netblock from taking control and using any outgoing internet connections.
Then, write the following lines in a terminal with sudo access:
# chmod +x iptables-ks.sh
This is it. Now, your killswitch is active and will prevent any non-VPN-encrypted connections from running. However, keep in mind that these settings are only temporary and will actually revert after a reboot.
If you want to keep them intact, you will have to install the iptables-persistent package for your distribution. Or you can set these settings to run on boot by adding the following line at the end of /etc/crontab:
@reboot root /path/iptables-ks.sh
First things first, you should install ufw like so:
# apt-get install ufw
Then, you will have to compile the ruleset if I didn’t already provide one for you, which I did. Here it is:
Keep in mind that it’s built based on the same Swedish server of AzireVPN, using that particular port. You just have to change the IP address and the protocol to suit that of your preferred online security provider.
Then, through the terminal, with sudo access, write the following:
# chmod +x ufw-ks.sh
Well done, your VPN killswitch is now activated and ready to go.
Keep in mind that the aforementioned requirements I told you about will only matter when talking about Linux and Mac OS X operating systems. For Windows, you can disregard them completely.
The best solution would be to use routes. Therefore, you should delete the default route when the OpenVPN connection is established.
In order to do that, you will need to run a command prompt with admin rights. Write the following:
route delete 0.0.0.0
Now, your system will have no other internet routes to use other than the one your VPN provides. So, in the case where that route becomes inaccessible, everything will be cut off.
Your OS will remain in a state of stasis until it can access that route again. The one disadvantage of this solution is that it’s not persistent. If the router reboots or the adapter is disabled for whatever reason, the settings will be taken to a default state.
For example, if you’re using an unstable Wi-Fi connection, then it’s not exactly a very reliable idea to set up an OpenVPN killswitch using this method.