Kill switch!

This is where we can discuss what we would like to see added or changed in OpenVPN.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
renthispace
OpenVpn Newbie
Posts: 1
Joined: Sat Jul 04, 2015 4:45 pm

Kill switch!

Post by renthispace » Sat Jul 04, 2015 4:48 pm

The client needs a built in internet kill switch in the event the VPN connection drops. This seems like it should be in the default configuration because the internet will work just fine without the VPN, but we are obviously using a VPN for a reason....

janspambox
OpenVpn Newbie
Posts: 4
Joined: Sat Nov 21, 2015 11:26 am

Re: Kill switch!

Post by janspambox » Sat Nov 21, 2015 12:10 pm

I agree that it would be desirable, but I'm not sure how easy it is to implement. Possibly an option to delete and not re-add the default route could do the trick, but it could make it difficult to re-establish a dropped connection.

If you (or someone else, given the age of this thread) are looking for a workaround, it should be possible to configure a local firewall to disallow outbound traffic not originating from the OpenVPN process.

The default Windows firewall supports it. I am succesfully using it to restrict an application to VPN. I had difficulties binding it to the OpenVPN interface, but I was able to set up a rule that it can't communicate unless the local IP matches the IP range provided by the VPN it is supposed to be using, which does the trick.

On Linux, you could e.g. run OpenVPN under its own user, and use the owner match extension of iptables to restrict other users from using the Internet directly.

sdfg2345
OpenVpn Newbie
Posts: 1
Joined: Sat Aug 27, 2016 4:22 pm

Re: Kill switch!

Post by sdfg2345 » Sat Aug 27, 2016 4:24 pm

It's been a year. Did the feature ever come to OpenVPN for Windows?

jameshouston135
OpenVpn Newbie
Posts: 9
Joined: Fri Feb 12, 2016 11:32 am

Re: Kill switch!

Post by jameshouston135 » Mon Feb 06, 2017 2:08 pm

An internet kill switch comes into handy in event of VPN failure. VPN connection can leak a user's actual IP address while exposing his online activities to ISP, spy agencies, hackers and almost every cyber criminal. Generally, the internet kill switch is not activated as default and requires you to turn it on through settings. You can choose from top VPN services that offer internet kill switch from [url=https://www.vpnranks.com/vpn-with-kill-switch]here[/url].

sfroberg
OpenVpn Newbie
Posts: 1
Joined: Tue Feb 07, 2017 8:26 pm

Re: Kill switch!

Post by sfroberg » Tue Feb 07, 2017 8:31 pm

I have done some primitive kill switch with a script that uses Linux network namespaces
https://www.wilderssecurity.com/threads/native-openvpn-kill-switch-under-linux.391828/

Of course, it would be great if OpenVPN client would have native support for Linux network namespace.
Maybe some command line like --namespace <namespace> ?
And then the OpenVPN would first contact the remote VPN server in the normal, global network namespace, then create the given namespace and switch to it, bring tun0 interface up and finally setup the routing stuff that it needs inside that namespace.

And if the OpenVPN process dies then the routing table from inside the network namespace (like also the tun0 interface) disappear leaving all the applications that used that network namespace without connection.

Post Reply