Kill switches (for Linux)

A kill switch is a program or firewall rule(s) that will prevent internet access if the VPN goes down for whatever reason
(remote server down, blocked by another firewall, OpenVPN crash, etc.).

Our Windows 'widget' program includes a kill switch that uses the Windows Firewall.

Most of our Linux customers run complex networks where a generic kill switch might interfere with their specific needs, and
since most of those people are generally experienced enough to write their own kill switch, we've never really had an official one for Linux.

There are already dozens of tutorials on the internet on how to write your own kill switch, but a lot of them are very inefficient.
Some of them block everything except port 1194 outgoing, which could cause leaks if any non-VPN traffic goes out on that port.
Also, most of them don't seem to do anything about DNS, STUN/WebRTC, or IPv6 leaks.

To help out those who aren't as experienced with Linux, and so people won't use those crummy kill switch tutorials,
we thought we'd share a couple kill switch scripts for the most common scenarios.

Scenario 1 - System-wide (standalone script, LAN allowed)
Scenario 2 - System-wide (standalone script, LAN disallowed)
Scenario 3 - System-wide (--up/--down script, LAN allowed)
Scenario 4 - System-wide (--up/--down script, LAN disallowed)
Scenario 5 - User-specific (--up/--down script, LAN allowed)
Scenario 6 - User-specific (--up/--down script, LAN disallowed)

Scenario 1 - System-wide (standalone script, LAN allowed)

This one is probably what most people want. It simply blocks all internet access that doesn't go through the VPN, excluding LAN IPs.
Download this script and save it somewhere, /usr/local/bin/killswitch_system_lan.sh for example.
Set it as executable with the command:
chmod +x /usr/local/bin/killswitch_system_lan.sh
Next, connect to the VPN like you normally would, either directly at the Terminal or via NetworkManager or whatever.
Once you're connected to the VPN, simply execute /usr/local/bin/killswitch_system_lan.sh to enable the kill switch.
Warning: If you tell your browser to use a proxy server running on another machine on your LAN, it will bypass the VPN and this kill switch.
All traffic will now be blocked unless it's going to the VPN IP associated with the current VPN session, or a LAN IP.
WebRTC/STUN binding requests are also blocked and IPv6 is disabled to prevent leaks through those.
All DNS will get redirected to 10.31.33.8, which is a dummy IP each VPN server has that points to the local DNS server.
In this killswitch script, change the DNSIP=10.31.33.8 line to DNSIP=10.31.33.7 if you want to use our ad/tracker blocking service.

This scenario will keep the kill switch running even if OpenVPN exits "cleanly", such as through CTRL+C or `killall -1 openvpn`.
So when you disconnect from the VPN, you'll need to disable the kill switch before you can reach anything again, excluding your LAN.

When you want to disable the kill switch, just execute /usr/local/bin/killswitch_system_lan.sh again.

Scenario 2 - System-wide (standalone script, LAN disallowed)

This scenario is basically the same as the above, except LAN access is NOT allowed.
Download this script and save it somewhere, /usr/local/bin/killswitch_system_nolan.sh for example.
Set it as executable with the command:
chmod +x /usr/local/bin/killswitch_system_nolan.sh
Next, connect to the VPN like you normally would, either directly at the Terminal or via NetworkManager or whatever.
Once you're connected to the VPN, simply execute /usr/local/bin/killswitch_system_nolan.sh to enable the kill switch.

All traffic will now be blocked unless it's going to the VPN IP associated with the current VPN session.
WebRTC/STUN binding requests are also blocked and IPv6 is disabled to prevent leaks through those.
All DNS will get redirected to 10.31.33.8, which is a dummy IP each VPN server has that points to the local DNS server.
In this script, change the DNSIP=10.31.33.8 line to DNSIP=10.31.33.7 if you want to use our ad/tracker blocking service.

This scenario will keep the kill switch running even if OpenVPN exits "cleanly", such as through CTRL+C or `killall -1 openvpn`.
So when you disconnect from the VPN, you'll need to disable the kill switch before you can reach anything again.

When you want to disable the kill switch, just execute /usr/local/bin/killswitch_system_nolan.sh again.

Scenario 3 - System-wide (--up/--down script, LAN allowed)

Unlike the previous two, this script isn't meant to be executed directly (unless you're turning off the killswitch), it should be called from OpenVPN's --up option.
Doing it this way saves you the trouble of enabling the kill switch every time you want to connect to the VPN.

Download this script and save it somewhere, /usr/local/bin/killswitch_system_lan_up.sh for example.
Set it as executable with the command:
chmod +x /usr/local/bin/killswitch_system_lan_up.sh
Next, edit your OpenVPN config file and add the two lines:
up /usr/local/bin/killswitch_system_lan_up.sh
script-security 2
That will keep the kill switch running even if OpenVPN exits "cleanly", such as through CTRL+C, or `killall -1 openvpn`, or when you disconnect from Network Manager.
If you want the kill switch to turn off when OpenVPN exits "cleanly", then also add this line:
down /usr/local/bin/killswitch_system_lan_up.sh
With that the kill switch will only stay active if OpenVPN exits in an "unclean" way, such as crashing or `killall -9 openvpn`.

Finally, connect to the VPN however you normally would, through the Terminal or Network Manager or whatever, making sure to use the config you just changed.
Warning: If you tell your browser to use a proxy server running on another machine on your LAN, it will bypass the VPN and this kill switch.
Once you're connected, all traffic will be blocked unless it's going to the VPN IP associated with the current VPN session, or a LAN IP.
WebRTC/STUN binding requests are also blocked and IPv6 is disabled to prevent leaks through those.
All DNS will get redirected to the DNS IP provided by the VPN server.
If you want to use the ad/tracker blocking service, change the line:
DNSIP=`echo $foreign_option_1|awk '{print $NF}'`
in the kill switch script to:
DNSIP=10.31.33.7
If you're not using it as a --down script, when you disconnect from the VPN you'll need to disable the kill switch before you can reach anything again, outside of the LAN.
To disable the killswitch, run:
/usr/local/bin/killswitch_system_lan_up.sh off

Scenario 4 - System-wide (--up/--down script, LAN disallowed)

This script also isn't meant to be executed directly (unless you're turning off the killswitch), it should be called from OpenVPN's --up option.
Doing it this way saves you the trouble of enabling the kill switch every time you want to connect to the VPN.

Download this script and save it somewhere, /usr/local/bin/killswitch_system_nolan_up.sh for example.
Set it as executable with the command:
chmod +x /usr/local/bin/killswitch_system_nolan_up.sh
Next, edit your OpenVPN config file and add the two lines:
up /usr/local/bin/killswitch_system_nolan_up.sh
script-security 2
That will keep the kill switch running even if OpenVPN exits "cleanly", such as through CTRL+C, or `killall -1 openvpn`, or when you disconnect from Network Manager.
If you want the kill switch to turn off when OpenVPN exits "cleanly", then also add this line:
down /usr/local/bin/killswitch_system_nolan_up.sh
With that the kill switch will only stay active if OpenVPN exits in an "unclean" way, such as crashing or `killall -9 openvpn`.

Finally, connect to the VPN however you normally would, through the Terminal or Network Manager or whatever, making sure to use the config you just changed.
Once you're connected, all traffic will be blocked unless it's going to the VPN IP associated with the current VPN session.
WebRTC/STUN binding requests are also blocked and IPv6 is disabled to prevent leaks through those.
All DNS will get redirected to the DNS IP provided by the VPN server.
If you want to use the ad/tracker blocking service, change the line:
DNSIP=`echo $foreign_option_1|awk '{print $NF}'`
in the kill switch script to:
DNSIP=10.31.33.7
If you're not using it as a --down script, when you disconnect from the VPN you'll need to disable the kill switch before you can reach anything again.
To disable the killswitch, run:
/usr/local/bin/killswitch_system_nolan_up.sh off

Scenario 5 - User-specific (--up/--down script, LAN allowed)

This one will only apply the kill switch to a specific user.
Download this script and save it somewhere, /usr/local/bin/killswitch_user_lan.sh for example.
Set it as executable with the command:
chmod +x /usr/local/bin/killswitch_user_lan.sh
Next, edit the script, changing the "justme" part of the line:
KSUSER=justme
to the actual user you want to use the kill switch.

Next, edit your OpenVPN config file and add the two lines:
up /usr/local/bin/killswitch_user_lan.sh
script-security 2
That will keep the kill switch running even if OpenVPN exits "cleanly", such as through CTRL+C, or `killall -1 openvpn`, or when you disconnect from Network Manager.
If you want the kill switch to turn off when OpenVPN exits "cleanly", then also add this line:
down /usr/local/bin/killswitch_user_lan.sh
With that the kill switch will only stay active if OpenVPN exits in an "unclean" way, such as crashing or `killall -9 openvpn`.

Finally, connect to the VPN however you normally would, through the Terminal or Network Manager or whatever, making sure to use the config you just changed.
Warning: If you tell your browser to use a proxy server running on another machine on your LAN, it will bypass the VPN and this kill switch.
Only for the user you specified above, all traffic will be blocked unless it's going to the VPN IP associated with the current VPN session, or a LAN IP.
For other users, the VPN will operate normally. If it goes down, those other users will be able to reach the internet. The user you specified above will not be able to.
For all users, WebRTC/STUN binding requests are also blocked and IPv6 is disabled to prevent leaks through those.
All DNS for the specified user will get redirected to the DNS IP provided by the VPN server.
If you want to use the ad/tracker blocking service, change the line:
DNSIP=`echo $foreign_option_1|awk '{print $3}'`
in the kill switch script to:
DNSIP=10.31.33.7
If you're not using it as a --down script, when you disconnect from the VPN you'll need to disable the kill switch before that user can reach anything again, outside of the LAN.
To disable the killswitch, run:
/usr/local/bin/killswitch_user_lan.sh

Scenario 6 - User-specific (--up/--down script, LAN disallowed)

This one will only apply the kill switch to a specific user.
Download this script and save it somewhere, /usr/local/bin/killswitch_user_nolan.sh for example.
Set it as executable with the command:
chmod +x /usr/local/bin/killswitch_user_nolan.sh
Next, edit the script, changing the "justme" part of the line:
KSUSER=justme
to the actual user you want to use the kill switch.

Next, edit your OpenVPN config file and add the two lines:
up /usr/local/bin/killswitch_user_nolan.sh
script-security 2
That will keep the kill switch running even if OpenVPN exits "cleanly", such as through CTRL+C, or `killall -1 openvpn`, or when you disconnect from Network Manager.
If you want the kill switch to turn off when OpenVPN exits "cleanly", then also add this line:
down /usr/local/bin/killswitch_user_nolan.sh
With that the kill switch will only stay active if OpenVPN exits in an "unclean" way, such as crashing or `killall -9 openvpn`.

Finally, connect to the VPN however you normally would, through the Terminal or Network Manager or whatever, making sure to use the config you just changed.
Only for the user you specified above, all traffic will be blocked unless it's going to the VPN IP associated with the current VPN session.
For other users, the VPN will operate normally. If it goes down, those other users will be able to reach the internet. The user you specified above will not be able to.
For all users, WebRTC/STUN binding requests are also blocked and IPv6 is disabled to prevent leaks through those.
All DNS for the specified user will get redirected to the DNS IP provided by the VPN server.
If you want to use the ad/tracker blocking service, change the line:
DNSIP=`echo $foreign_option_1|awk '{print $3}'`
in the kill switch script to:
DNSIP=10.31.33.7
If you're not using it as a --down script, when you disconnect from the VPN you'll need to disable the kill switch before that user can reach anything again.
To disable the killswitch, run:
/usr/local/bin/killswitch_user_nolan.sh