UFW based VPN Killswitch
It can be handy to have a VPN "killswitch" deployed. Essentially blocking all network traffic outside the use of VPN and local network (local network optional)
The Killswitch
In order to setup a VPN killswitch in UFW, you need three pieces of information:
• The public IP address of the VPN server you connect to
• The port and protocol your server uses to communicate
• The subnet of your local network
In most cases, your VPN config will be stored in /etc/openvpn, but it’s possible to set it up in any location. If you don’t see an .ovpn* or .conf* file in /etc/openvpn, check your home directory.
The port, protocol, and public IP address you need will be near the top of the config file. I used this command to display mine, as above:
head /etc/openvpn/config.ovpn
You’ll also need to know the LAN subnet your computer is on.
In many cases, it will be 192.168.1.0/24 but if you’re not sure, it’s a good idea to confirm before
Setting up the VPN killswitch with UFW.
There are a handful of different ways to get the information you need, but I recommend this
ip addr | grep inet
You’ll see an inet entry for each network adapter on your system. Ignore the loopback, which will always have a subnet of 127.0.0.1/8, and make a note of the other entry.
The next three steps to this process:
• Explicitly allow LAN traffic, so local network services like your NAS will work even when the VPN is down
• Disallow all other traffic unless it is running through the encrypted connection
• Enable UFW to activate the ruleset
Allow Local Traffic
You’ll need to know your LAN subnet from the previous step, and use that subnet in place of mine at 192.168.1.0/24.
Use the following commands to allow LAN access to your computer, adjust this to whatever fits your network.
sudo ufw allow in to 192.168.1.0/24
sudo ufw allow out to 192.168.1.0/24
You should get confirmation when each rule is added, as above.
Configure the VPN killswitch
Now the killswitch itself. Note that this will "shut down" your internet connection when the VPN is disconnected. You can disable ufw as a "quick workaround" if needed
To start, set the default policy to deny all traffic:
sudo ufw default deny outgoing
sudo ufw default deny incoming
The exception to the ruleset allowing you to connect to the VPN server only.
sudo ufw allow out to WHATEVERYOURVPN_SERVER_IP_IS port WHATEVER_THE_PORT_IS proto udp
We're assuming the VPN connects using the network device tun0
This can be confirmed by connecting to your VPN and run ip addr | grep inet again.
You’ll see an additional entry for the VPN connection.
Now we force all outbound traffic to use the VPN:
sudo ufw allow out on tun0 from any to any
Optionally Depending on use case, you may want to allow connections back in through the VPN. Run this command to allow inbound connections if desired:
sudo ufw allow in on tun0 from any to any
Once you’ve executed the final command, your VPN killswitch is ready to enable.
sudo systemctl enable WHATEVER_YOUR_VPN_CONNECTION_CONFIGFILE_IS
sudo ufw enable
sudo ufw disable
To show the status:
sudo ufw status
Configuring Your VPN to Connect Automatically
OpenVPN can be set and run as a service. Move or copy your existing .ovpn* profile to /etc/openvpn if it isn’t there already. Then rename the profile to give it a .conf* file extension.
sudo mv /etc/openvpn/myvpnconfig.ovpn /etc/openvpn/myvpnconfig.conf
Once it’s renamed, you can start and stop OpenVPN just like any other systemd service. For
sudo systemctl start openvpn@myvpnconfig
sudo systemctl stop openvpn@myvpnconfig
RARE Depending on how your profile is set up, it prompts for a username and password. That’s not ideal, but you can fix it by saving your username and password.
Save Your Username and Password
sudo nano /etc/openvpn/myvpnconfig.conf
auth-user-pass /etc/openvpn/passwd
This tells OpenVPN to look at /etc/openvpn/passwd for your credentials. All you need to do is create that file with your username and password and OpenVPN will connect automatically. Use this command to create the file and open it for editing:
sudo nano /etc/openvpn/passwd
The structure is very simple, your username is on the first line and your password is on the second.
Lock Down the Config
To lock down the config, you’ll want to take the following steps:
• Change ownership of /etc/openvpn/passwd and your VPN profile to the root user
• Change permissions on both files to restrict access
sudo chown root:root /etc/openvpn/myvpnconfig.conf
sudo chown root:root /etc/openvpn/passwd
No other users on your system will be able to see the plaintext credentials.
sudo chmod 400 /etc/openvpn/myvpnconfig.conf
sudo chmod 400 /etc/openvpn/passwd
sudo systemctl enable openvpn@myvpnconfig
OPTIONAL STEPS IF YOU NEED TO DISABLE IPv6
Disabling IPv6
Some VPN providers still don’t have adequate IPv6 support, which can cause data leaks and other issues. I think it’s a good idea to disable IPv6 entirely unless you’re positive your provider supports it.
- /etc/sysctl.conf to disable IPv6 networking
- /etc/default/ufw to stop UFW from automatically creating IPv6 rules
Open /etc/sysctl.conf for editing with the following console command:
sudo nano /etc/sysctl.conf
add the following three lines to the end of the configuration file:
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
force the system to reload sysctl.conf and apply your changes using the command:
sudo sysctl -p
You can confirm the changes were applied successfully
cat /proc/sys/net/ipv6/conf/all/disable_ipv6
If your system displays a 1 as output, IPv6 has been disabled successfully.
STOP AUTOMATIC IPv6 UFW RULES (optional)
You’ll want to stop UFW from automatically creating IPv6 firewall rules. Even if you decide to disable IPv6 and the protocol has been disabled at the operating system level, UFW stubbornly insists on adding IPv6 rules until it’s been told to stop. Doing so will reduce clutter in your ruleset and might save you some confusion later on.
To turn off IPv6 in UFW, open the file /etc/default/ufw for editing using this command:
sudo nano /etc/default/ufw
croll through until you find the setting for IPv6 rules, and change it to read:
IPV6=no
Press Ctrl+X, Y to save your changes.If you’ve already enabled UFW prior to starting this project, you’ll need to disable it with the following command:
sudo ufw disable
Now that IPv6 has been disabled system-wide, you can move on to collecting the information you need to set up the VPN killswitch with UFW.