A kill switch is a firewall-based safety mechanism that blocks normal internet access if the VPN disconnects for any reason, such as a remote server outage, a local firewall problem, a crashed VPN client, or a broken route.

This replaces the older collection of separate scripts with a single unified script that works across most Linux systems and VPN setups.

It supports:

• WireGuard (NetworkManager, wg-quick, or standalone)
• OpenVPN (--up / --down, or standalone if VPN_HOST or VPN_ENDPOINT_V4/VPN_ENDPOINT_V6 is set)
• nftables and iptables backends
• system-wide or single-user-only mode
• optional LAN access

If you use WireGuard through NetworkManager, place or symlink the script into:

/etc/NetworkManager/dispatcher.d/

It will automatically enable and disable on connect/disconnect.

PostUp = /path/to/vpn-killswitch on %i
PostDown = /path/to/vpn-killswitch off %i

Works with any interface name, such as wg0 or cs-poland.

/path/to/vpn-killswitch on
/path/to/vpn-killswitch on cs-poland
/path/to/vpn-killswitch on tun0
/path/to/vpn-killswitch off
/path/to/vpn-killswitch status

The interface name is optional if the script can clearly auto-detect the active tunnel.

For WireGuard standalone mode, reconnect works best if the WireGuard endpoint is configured as an IP address rather than a hostname. If the endpoint is a hostname, reconnect may fail while the kill switch is active because DNS is redirected to VPN-only resolvers.

OpenVPN users need to set VPN_HOST or VPN_ENDPOINT_V4 / VPN_ENDPOINT_V6 for standalone to work.

script-security 2
up /path/to/vpn-killswitch
down /path/to/vpn-killswitch

You can use this when starting OpenVPN from the console, or by putting those lines directly into your .ovpn config file so the kill switch is handled automatically.

Near the top of the script there is a small configuration section with the settings most people are likely to change.

The most important ones are:

• BACKEND="auto" — automatically use nftables if available, otherwise iptables
• MODE="system" or MODE="user" — apply the kill switch system-wide, or only to one specific user account
• KS_USER="justme" — the username to protect when using MODE="user"
• ALLOW_LAN=1 or ALLOW_LAN=0 — whether local network access is allowed outside the tunnel

Most users will only ever need to change those, plus the DNS settings below.

The script uses:

ALLOW_LAN=1 to allow access to directly connected LAN devices such as printers, NAS boxes, and routers.

ALLOW_LAN=0 blocks LAN access too, which gives stricter isolation and helps protect against TunnelCrack-style attacks and similar tricks that rely on traffic escaping through local or non-tunneled routes.

For most desktop users, ALLOW_LAN=1 is the easier choice. Users who want the strictest possible behavior should change it to 0.

The DNS servers are configured near the top of the script:

DNS_V4="10.31.33.7"
DNS_V6="2001:db8::7"

Those are the filtered ad/tracker-blocking DNS servers. If you do not want filtering, change them to:

DNS_V4="10.31.33.8"
DNS_V6="2001:db8::8"

The script forces ordinary DNS on port 53 to the VPN DNS servers, which helps prevent normal DNS leaks.

It does not block DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT). If a browser or application is configured to use those, it can still send DNS queries to third-party resolvers.

Those requests should still go through the VPN tunnel rather than exposing your real client IP directly, but they can still be considered a DNS privacy leak.

Do not use this script on routers (DD-WRT, OpenWRT, etc) unless you really know what you are doing.

This script was written mainly for standard Linux desktop and server distributions. Router firmware often uses custom or non-standard default routing and network layouts, even when the firewall tools themselves are familiar. Because of that, trying to use this script on a router may stop traffic from flowing entirely.