A killswitch is a feature used to disable the internet connection after a certain amount of time, typically 30 minutes. This helps prevent your ISP from detecting and throttling your traffic because it doesn’t show up on their network anymore.
The “openvpn killswitch” is a tool that allows users to set up a Linux kill switch for VPNs. This tool can be found in the openvpn package. It must be installed on the client machine and then located in /etc/openvpn/kill.sh.
Any serious Linux VPN user should invest in a Linux killswitch. It protects your data from being leaked to the internet by preventing anybody from accessing it even if you’re not connected to the VPN. It also assures that all information is kept private no matter what occurs in the meantime.
A kill switch is a nightmare for a cyber-criminal. It’s a huge roadblock between them and their goal. As long as you have a kill switch activated, no one can access your data if your VPN connection fails for even a second because your computer or phone freezes, dies, or you accidently cut the cable.
You’ll need the following items to follow along:
- The file you’ll need to connect to your VPN service provider. The VPN service used in this article is NordVPN.
- A device running Ubuntu with the OpenVPN software installed. Ubuntu 20.04 and OpenVPN 2.5.3 will be used in the examples.
Related: [Step-by-Step] How to Install Ubuntu 20.04
Uncomplicated Firewall Installation (UFW)
In this tutorial, the Linux killswitch hinges on the configuration of the firewall. First, start by Uncomplicated Firewall Installation (UFW) on your device and setting the firewall up to act as the kill switch.
Before you begin, ensure sure your Linux distribution is up to date; otherwise, your UFW firewall may not function properly. For example, the UFW may fail to load the settings or a newly added/removed rule may fail to load.
To install the firewall, do sudo apt install ufw -y.
Most Ubuntu editions include the UFW firewall by default, so you may already have it installed.
2. Run sudo systemctl start ufw to start the UFW service.
3. Verify that the UFW installation went well. If the command sudo systemctl status ufw is successful, the result will display active (expired) in green, as seen below.
Ensure that UFW is installed and operational.
4. Run sudo ufw enable to enable UFW. When prompted whether you wish to proceed with the procedure (y|n), press Y and then Enter.
Enabling Ubuntu’s User-Front-End (UFW)
Remote Access Protocols Are Allowed
After installing the firewall, configure UFW to enable any protocols you want to use with the VPN.
To begin, make sure you are not locked out of your client: if your OpenVPN connection fails, you may need to log in using SSH. If the connection breaks down and you can’t get in through SSH, you’ll have to physically visit the device to reconnect.
1. Use the sudo ufw allow ssh command to allow SSH connections. The UFW firewall scans the /etc/services file for ports and protocols and opens them appropriately. You can see the output of the command below.
On Ubuntu, allowing SSH connections is a must.
When connecting over OpenVPN, it’s strongly suggested to add an additional degree of protection by asking your users to verify with an SSH key. This technique will keep you safe from brute-force assaults and illegal connections.
2. Then, by enabling traffic on the appropriate ports, you must add rules to enable the VNC protocol.
The VNC protocol is an optional feature. VNC, like SSH, permits remote access. SSH only allows for a text terminal, but VNC allows for a graphical interface. With the sudo ufw allow 5901:5910/tcp command, you may enable VNC traffic.
These instructions will provide a result similar to the one shown below.
Remote Access Protocols Are Allowed on Ubuntu with UFW
3. After you’ve entered your rules, double-check that they’ve been implemented correctly. As seen below, the sudo ufw show added command displays a list of all added rules.
Examining the UFW’s current regulations
Setting up the VPN Kill Switch
In this part, you’ll learn how to use the UFW firewall to set up the real kill switch. Run the two instructions below to get started.
- ufw default deny outgoing sudo
- ufw default deny inbound sudo
Aside from the expressly approved SSH connection and remote protocols you set up in the preceding sections, the ufw default deny command restricts all outgoing/incoming traffic to/from your system. The output of the commands may be seen in the image below.
UFW is used to block traffic.
Then, to allow your computer to connect to the VPN server, add an exception to the UFW ruleset: you’ll need your VPN server configuration file. The OpenVPN files used in this tutorial are titled ata.ovpn and were obtained from the NordVPN website.
It’s possible that the name of your OpenVPN configuration file is different. This tutorial follows the “ata” naming convention, but feel free to name yours anything you like!
Related: Torrenting VPNs for Free (In-Depth)
Next, use sudo head /etc/ata.ovpn to view at the ata.opvn OpenVPN configuration file. The information in the output comprises the port, protocol, and IP address of the VPN server you’re connected to, using NordVPN as an example.
Take note of the port, protocol, and public IP address information generated from the configuration file when crafting the right UFW command.
The example above shows how to open an OpenVPN config file for NordVPN.
Create the ufw after that. allow out the following command: sudo ufw allow out to 126.96.36.199 proto udp port 1194 sudo ufw allow out to 188.8.131.52 proto udp port 1194 sudo ufw allow out to As you can see, the IP address and port are from the remote configuration line, while the protocol is from the proto configuration line.
The VPN provider in this case is NordVPN. The 1194 UDP port must be open for NordVPN to work. If you’re using Express VPN, for example, you’ll need to open the 1195 UDP port rather than the 1194 port. Each VPN service may have its own set of UDP ports.
Adding an OpenVPN Firewall Exception
Of course, you must let OpenVPN over the firewall for effective functionality. With the exception of a few ports, you’ve blocked all incoming and outgoing traffic up to this point.
To begin, you must determine the OpenVPN client’s network interface name. To list all configured network interface names, use the ifconfig command, as shown below.
On Ubuntu, you may see a list of network interface names.
In the resultant list, look for the network interface named tun0. All incoming and outgoing communication passes via the tun0 interface, which is also the interface to allow. It’s a boot-time virtual interface, which basically implies it’s not a physical connection. In OpenVPN, this is the default interface.
To force all traffic via the VPN tunnel interface you discovered using ifconfig, add a firewall exception for it. Otherwise, you won’t be able to connect to the internet, and your kill switch will be disabled. To add an exception for OpenVPN traffic on the tun0 interface, use the command below.
sudo ufw allow out from any to any on tun0
On the tun0 interface, allowing outbound traffic is enabled.
Incoming VPN connections are required for certain apps, such as using a voice chat program while playing games. Run the following command to allow inbound connections:
sudo ufw allow in from any to any on tun0
Allowing traffic to enter the tun0 interface
Setting Up the OpenVPN Client
In this last part, you’ll use the previously prepared configuration to configure the OpenVPN client to operate as a service.
Begin by renaming your plain-text ata.opvn file to ata.conf (your filename may change). The files must be named with the *.conf file extension to execute the OpenVPN client as a background system service. You’ll also need to copy the file to the /etc/openvpn directory.
With sudo mv /root/ata.ovpn /etc/openvpn/ata.conf, you may move the config file.
The OpenVPN configuration file was moved and renamed.
Now go to /etc/openvpn and double-check that the file is there.
Files in the /etc/openvpn directory are shown.
Start the OpenVPN client service using the systemctl command and the configuration file in the /etc/openvpn directory. Run sudo systemctl start [email protected] to start the service.
The “ata” in the OpenVPN client name comes from the name of the configuration file that was utilized. Depending on the file’s name, yours can be different.
The OpenVPN service is being started.
Use the systemctl status command to see whether the OpenVPN service is up and functioning.
The active (running) green status of the OpenVPN service is indicated as shown below.
Checking the status of the OpenVPN service.
Finally, you must set up your device to automatically connect to your VPN provider. When you connect to the VPN automatically, OpenVPN will always be operating, even if you restart your computer.
Run the sudo systemctl enable [email protected] command, and the OpenVPN service will connect your device to the VPN automatically from now on whenever it begins.
Allow the OpenVPN service to run.
This article has walked you through the whole process of configuring a Linux killswitch for your VPN connection. If your network connection stops abruptly, a kill switch disconnects it from your computer, eliminating data breaches and keeping you secure online.
The “surfshark linux kill switch” is a tool that allows users to set up a Linux killswitch for VPNs. The tool will allow the user to disconnect from the VPN if they are using a public network, such as at an airport or coffee shop. The tool can be installed on Ubuntu and Debian-based systems.
- ufw vpn killswitch
- iptables vpn killswitch
- arch vpn kill switch
- openvpn killswitch windows 10
- vpn kill switch android