How to make a VPN kill-switch for mac OS X
The best thing I have found is to use PF available on mac os X, after you connect to your VPN provider just need to change the IP.
Create a file ~/killswitch/pf.conf containing this
# Options
set block-policy drop
set ruleset-optimization basic
set skip on lo0
# Interfaces
wifi = "en1"
vpn = "utun1"
# Block everything
block out all
block in all
# Outbound: Allow only VPN
pass out on $wifi proto {tcp, udp} from any to 81.171.71.XX
# Allow traffic for VPN
pass out on $vpn all
Double check your interfaces, in my case en1 is the WiFi and uten1 the VPN tunnel.
Change 81.171.71.XX to the IP you get when you connect.
enable pf
$ sudo pfctl -e
Load the rules:
$ sudo pfctl -Fa -f /path/to/pf.conf
Disable pf:
$ sudo pfctl -d
I had to implement this due to a issue with ipvanish, mainly because the application was crashing making the VPN to go down and traffic was back to the default, none encrypted route.
update
You can give a try to killswitch it can do all this for you automatically.
Related videos on Youtube
06 : 33
01 : 46
00 : 29
23 : 19
03 : 04
16 : 04
John Schlong
Updated on September 18, 2022Comments
-
John Schlong over 1 year
What I wanna do is to have the internet connection disabled completely when the VPN connection goes down. I am connecting to my VPN (privatevpn.com) through Viscosity.
I have tried everything in the book. I have tried to have a disconnect scripts in Viscosity, but they never trigger, or trigger inconsistently and leave my connection vulnerable. I also tried routing tricks in Viscosity but it doesnt work either.
On my Ubuntu machines I have a solution that works perfectly, I use ufw rules to control the firewall. In order to connect to my VPN I need to disable UFW, and then once the VPN have connected I enable UFW, and it keeps the connection tight from leaking.
There is something called pf on Mac. I might be able to configure pf to work the same way as my ufw rules work, but I don´t understand how to configure it.
Here are my UFW rules I would like to run on the Mac as well, maybe someone can help me to configure pf to use the same rules?
Status: active Logging: on (low) Default: deny (incoming, deny (outgoing), disabled (routed) New profiles: skip
To Action From Anywhere ALLOW IN 193.180.119.0/24 Anywhere ALLOW OUT 193.180.119.0/24
-
John Schlong over 7 yearsNo Mac networking experts around?
-
-
John Schlong over 7 yearsOK thanks, I ended up using AirVPN client for Mac OS X, and it works out of the box. Just in case someone wanna save some time in the future.
-
iled almost 6 yearsI just tried
killswitchon macOS 10.12.6 and it works perfectly. Install withbrew install killswitch. If it fails, try firstbrew tap vpn-kill-switch/killswitchand then install. In this way, it might fail to download the bottle, but it will then compile from source for you.
