Portal Home > Knowledgebase > Troubleshooting > IP Binding / Killswitch > Force system to stick to VPN only with *NIX iptables script

Force system to stick to VPN only with *NIX iptables script

If you’re looking to protect your traffic using OpenVPN on a Linux system, be aware that should your VPN connection unexpectedly end, your traffic may revert to being routed unhidden through your ISP.

In order to prevent this from happening,  you may use iptables on Linux/*NIX as a form of ‘killswitch’.

OpenVPN is quite sophisticated in what data it will give you, and at what stages of its connection process you can get at it. Usefully, it takes the following argument:

    --route-up up-script.sh

up-script.sh should contain shell code to be run just after the routing table has been updated, but before the connection is fully established. OpenVPN sets the environment variable $trusted_ip with the public IP address of the server it just connected to.

Here is the content of the up-script.sh:

    iptables -F
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A OUTPUT -o tun+ -j ACCEPT
    iptables -A INPUT -s 127.0.0.1 -j ACCEPT
    iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT
    iptables -A INPUT -s $trusted_ip -j ACCEPT
    iptables -A OUTPUT -d $trusted_ip -j ACCEPT
    #Add rules to allow things like SSH access, or any other necessary iptables rules here.
    iptables -A INPUT -j DROP
    iptables -A OUTPUT -j DROP
    #Put code here to launch applications that should only be started post-leak protection.

Here is how you should start the VPN:

    openvpn --config /path/to/server.conf --route-up /path/to/up-script.sh --daemon --log /path/to/vpn.log

The –daemon flag makes OpenVPN run in the background, and vpn.log will contain log information.

Voilà, that's pretty much about it. Enjoy!
Related Knowledgebase Articles