How to set up a VPN kill switch"

kzlz · October 16, 2024, 7:50am

I’m creating a VPN gateway VM using a Debian template, protonvpn, opnevpn. but I would like to know how to set up a VPN kill switch.

apparatus · October 16, 2024, 7:53am

solene · October 16, 2024, 8:04am

Thanks @apparatus

That guide only explain how to prevent traffic to be forwarded if the VPN is not up, but from within the qube, this is practical when using the VPN provider App because you can’t guess the IP : PORTS for the firewall. The drawback is that the qube itself is able to remove the killswitch if it’s compromised (or if you mess with nftables rules)

The only killswitch that will block the traffic for sure, but requires to know the VPN endpoint IP and port, is this one (it’s a direct link to the killswitch section)

kzlz · November 20, 2024, 4:14am

qvm-firewall sys-vpn add accept dsthost=1.2.3.4 # (2)

Should the IP address remain as 1.2.3.4, or should it be changed to the IP address of the sys-vpn qube? Or should it be the IP address of the ProtonVPN server?

Use the Qube GUI to set the firewall to the VPN endpoint (this avoids leaks)

It seems that setting the endpoint’s IP here is not having any effect at all. Could this be due to the configuration of sys-whonix in sys-vpn on netqube?