VPN killswitch and UncomplicatedFireWall (ufw)

August 25, 2023    Article    221 words    2 mins read

You can set-up a VPN killswitch, which is a simple way to ensure that if your VPN connection is dropped, regardless of the reason, the Internet connections are not allowed (and your real IP will not be exposed). And this can be done easily using ufw on any Debian-based distro.

Start by installing ufw if it’s not already installed on your system:

$ sudo apt install ufw

Configure ufw to deny all incoming and outgoing connections:

$ sudo ufw default deny incoming
$ sudo ufw default deny outgoing

Set-up an exception for the VPN connection and allow all outgoing traffic on the tun0 interface (obviously, if you’re using tun0, which you should anyway):

$ sudo ufw allow out on tun0 from any to any

Set-up an exception for the initial connection to the VPN server (make sure you replace x.x.x.x with the actual server IP), else you need to disable the firewall before making the initial VPN connection and re-enable it after:

$ sudo ufw allow out from any to x.x.x.x

Enable ufw and check the status afterwards:

$ sudo ufw enable
Firewall is active and enabled on system startup
$ sudo ufw status
Status: active

To                    Action        From
--                    ------        ----
Anywhere              ALLOW OUT     Anywhere on tun0
x.x.x.x               ALLOW OUT     Anywhere
Anywhere (v6)         ALLOW OUT     Anywhere  (v6) on tun0