OpenVPN/Wireguard Kill switch using UFW/iptables

Hello!

I’m trying to setup VPN kill switch inside two of the VMs and i need help setting up firewall rules.

Both VMs are running:

  • EndeavourOS
  • ufw (firewall)
  • KDE
  • VPN (Using Network-Manager)

VM1 has openvpn setup and VM2 has wireguard Setup. IPv6 is already disabled.

Goal: No network access when vpn tunnel goes down aka kill switch.

Will i be alright if i did the following:

  • For VM1 (OpenVPN):
sudo ufw default deny outgoing
sudo ufw default deny incoming

sudo ufw allow out on tun0 from any to any
sudo ufw allow in on tun0 from any to any

sudo ufw allow out 1194/udp
sudo ufw allow in 1194/udp
  • For VM2 (Wireguard):

Adding the following to the [Interface] section of /etc/wireguard/wg0.conf

PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

Am i missing anything here? Does this look good?

1 Like

This is how mine is set up with UFW Network-Manager and OpenVPN:

$ sudo ufw status verbose

Status: active
Logging: on (medium)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW OUT   Anywhere on tun0          
1194                       ALLOW OUT   Anywhere                  
1194 (v6)                  ALLOW OUT   Anywhere (v6)

following:

https://wiki.archlinux.org/title/NordVPN#Use_a_killswitch

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.