A VPN ensures security, anonymity, and privacy when browsing the internet. But what if your VPN failed at some point while you surfed online? Your internet data transmission would become unsecured again, leaving you exposed to the world.
That’s where a kill switch can come in handy, because it will automatically disconnect you from the internet whenever your VPN connection fails.
This safety feature comes in two types:
- Active Kill Switch. This lets you know if you’re disconnected from the VPN. The information is sent to the device to prevent it from connecting to networks considered vulnerable.
- Passive Kill Switch. More secure than an active kill switch, a passive kill switch blocks your device from sending internet traffic data if the VPN application suddenly stops getting server signals.
How to Set Up a Kill Switch
Yes, a kill switch is a great extra security measure, but not many VPNs are equipped with one. So it’s a good idea to know how to set up an OpenVPN kill switch in any operating system.
The goal is to create a security tool that prevents traffic leaks outside the VPN network.
So if your VPN encounters an issue, your personal data and privacy won’t be at risk. The kill switch will instantly sever your internet connection.
To set up a kill switch in Windows, it’s better to use routes. Make sure you’re connected to the OpenVPN server of your choice before proceeding with the following steps:
1. Run the Command Prompt with admin rights and select the “Run as administrator” option.
2. Delete the default route when the OpenVPN connection is established.
route delete 0.0.0.0
After successful detention of the default route, the command line interface will output “OK!”
This command will delete the default routing method, making VPN the only accessible method to the internet. Therefore, when VPN is inaccessible, your internet connection will be cut off.
The operating system will remain in stasis until it can access that route again. However, this state isn’t persistent. If the router reboots or the adapter is disabled for whatever reason, the settings will be taken to a default state.
For example, if you’re using an unstable Wi-Fi connection, then it’s not a very good idea to set up an OpenVPN kill switch using this method.
Also, you can manually restore the default settings:
- Go to the Network and Sharing Center in the Control Panel.
- Click Change adapter settings.
3. Right-click on the network adaptor and click Disable.
4. Then right-click on the disabled network adapter again and click Enable.
macOS and Linux
1. Get the IP address of the VPN gateway that this kill switch is intended for.
Using the host command
The Mac VPN provider’s hostname can be found in the OpenVPN configuration files.
2. Get the network interface name that’s connected to your default gateway and the subnet of the local network.
Using the route command
Note that root access is needed in a Linux OS to use the above command.
3. Make modifications in the .ovpn configuration file. Change the tun device to -dev tun0 in the client configuration file. Then change the hostnames to IP addresses for the -remote option in the same configuration file.
Now you’re all set to create a kill switch for your operating system.
1. Use the command-line tool pf to create a kill switch on macOS.
2. Get administrator access with root or sudo to perform the next operations.
3. Edit the configuration of pf. Do this in a terminal window with the config file’s location
4. Block any internet connection going through other ports except through the VPN port.
block drop all
pass on lo0
pass on utu0
pass out proto udp from any to (insert IP address of your VPN server) port
(add your port)
5. Now save and exit.
6. For the changes to be complete, you’ll have to import the newly added rules:
pfctl – f /etc/pf.conf
7. Now, all you have to do is turn on the firewall:
Now that the pf is enabled, the kill switch will kick in. The VPN firewall will keep all your internet connections going through the encryption that the security provider has in place.
Other than that, it will cut off any and all incoming and outgoing unencrypted traffic connections. Except for the netblock of the VPN server mentioned in previous steps, no other internet connection will be possible.
You can create a manual kill switch or a VPN firewall in two ways in Linux.
Kill switch using iptables
Iptables, a Linux command-line firewall, allows us to manage incoming and outgoing internet traffic with built-in or user-defined rules.
Make sure you back up the current iptables ruleset first. You can do that with
1. Create a new shell script that contains the following ruleset:
iptables -t nat --flush
iptables -t nat --delete-chain
iptables -P OUTPUT DROP
iptables -A INPUT -j ACCEPT -i lo
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A INPUT --src 192.168.0.0/24 -j ACCEPT -i wlp6s0
iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT -o wlp6s0
iptables -A OUTPUT -j ACCEPT -d 198.51.100.0 -o wlp6s0 -p udp -m udp --dport 1194
iptables -A INPUT -j ACCEPT -s 198.51.100.0 -i wlp6s0 -p udp -m udp --sport 1194
iptables -A INPUT -j ACCEPT -i tun0
iptables -A OUTPUT -j ACCEPT -o tun0
2. Save the created script as iptables-vpn.sh
3. Set the permissions.
chmod +x iptables-vpn.sh
4. Execute the script.
Kill switch using ufw
Ufw is the default firewall configuration tool in Ubuntu. This offers easy and user-friendly ways to build IPv4 or IPv6 host-based firewalls.
1. Install ufw.
apt-get install ufw
Before proceeding, make sure to back up your firewall ruleset in case something goes wrong.
2. Add the below commands in a new shell script:
ufw --force reset
ufw default deny incoming
ufw default deny outgoing
ufw allow in on tun0
ufw allow out on tun0
ufw allow in on wlp6s0 from 192.168.0.0/24
ufw allow out on wlp6s0 to 192.168.0.0/24
ufw allow out on wlp6s0 to 198.51.100.0 port 1194 proto udp
ufw allow in on wlp6s0 from 198.51.100.0 port 1194 proto udp
3. Save the script file as ufw-ks.sh.
4. Set the permissions with chmod.
chmod +x ufw-ks.sh
5. Execute the script.
Well done, your VPN kill switch is now activated and ready to go.
You can use
ufw disable to deactivate the firewall.
Kill Switches Available in VPN Apps
ExpressVPN is by far the best VPN currently available. The kill switch in ExpressVPN is known as the “Network Lock,” and it’s available for all platforms, including Windows, Linux, and macOS. If a sudden failure in ExpressVPN occurs, the Network Lock disconnects you from the internet until the VPN regains its connection.
How to set up Network Lock in ExpressVPN
1. Click Options in the menu.
2. Activate the Network Lock.
NordVPN offers several versions of the kill switch. You can disable either system-wide internet access or specific applications only.
Here’s how to activate the kill switch in NordVPN:
- Go to the settings.
- Enable the Internet Kill Switch or the App Kill Switch.
Other VPNs With Kill Switches
These days, more and more VPNs are trying to keep up with the advanced features offered by leading VPN companies. Here are some that now offer kill switches:
- Private Internet Access
Certain VPN servers, like TotalVPN and Buffered, still need to get with the program.