El Rincón del Tío Nuke

Mozilla, software libre, privacidad y más

VPN Kill switch for Linux – Protect from VPN drops and DNS leaks

This post is a follow-up from the one posted at TheTinHat.com

What we want to ensure is that:

  • We connect to our VPN and all traffic goes through it (including DNS).
  • If our VPN connection drops there is no leak and it reconnects automatically.
  • We can return to not using VPN safely.

We will use two scripts, vpn-firewall.sh and vpn-off.sh. Pleace them under your /home/user/bin folder or anywhere else. Make then executable with chmod +x vpn-*




  • Make sure you have the ufw package installed.
  • Before opening any app, execute vpn-firewall.sh to connect to the vpn and set up the firewall. This script will monitor your connection and re-connect to VPN if it drops avoiding any leaks. You can stop monitoring using Ctrl + Z.
  • If you want to stop using VPN, stop monitoring by Ctrl +Z and execute vpn-off.sh IMPORTANT: Make sure your close all apps first or list them under KILL_APPS on the vpn-off.sh script.

If you want to run vpn-firewall.sh each time you open session, you can create a file vpn-firewall.desktop under ~/.config/autostart/ folder with the following content:

[Desktop Entry]
Name=VPN Firewall autostart

Note that this might not work for you since this script needs root access to modify Firewall rules.

7 comments for “VPN Kill switch for Linux – Protect from VPN drops and DNS leaks

  1. hd9gd87
    4 septiembre 2017 a las 19:47

    That’s great, thanks for that!
    Is it possible to use openvpn in terminal to connect instead of network manager? I do not use NM because it can leak DNS, using openvpn in terminal prevents it from happening.

  2. Claus
    12 septiembre 2017 a las 14:16

    Does the script allow LAN traffic while active and if not can it be modified to do that (I would like to locally access my box using xRDP)

  3. 12 septiembre 2017 a las 14:26

    Yes, it allows local traffic, check the code under

    # Allow local network connections

  4. 12 septiembre 2017 a las 14:28

    hd9gd87, yes, feel free to modify the nmcli lines with the corresponding openvpn ones.

    This script ensures there is no DNS leaks, DNS requests are blocked unless they go through the tunnel.

  5. Alex
    21 marzo 2018 a las 17:47

    This looks promising, but I am running a headless setup (raspbian lite) and even if I install Network Manager I don’t get any fancy name for my VPN connection like I do on my desktop, I only get eth0 and tun0.
    Any way around this?

  6. Ryan
    23 abril 2018 a las 4:36

    ALEX, did you ever find a solution to this?? I’ve search google for days and nobody seems to have a decent configuration.

  7. Trent
    15 junio 2018 a las 15:16

    #Show a list of configured VPN providers
    VPN_AVAIL=$(nmcli con | grep vpn | awk ‘{print $1}’); echo $VPN_AVAIL

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.