OpenVPN network kill switch

This is a weird issue nobody really answered on the internet.

How come the Open VPN client, the one open source trustworthy vpn client everyone uses, STILL does not come with a kill switch which automatically disables your network connections if it drops the vpn connection, and preferably also if the process is killed?

Other VPN clients, which are based on OpenVPN but are closed source, DO have a built in kill switch. Dafuq? I’m trying to move away from one of these closed source clients and use openvpn.

The thing is I don’t trust Windows Firewall, nor do I want to be dependent on it (or on any firewall at all if I can avoid it) for my network kill switch. So what can I do?

I've seen so many discussions all with mixed results on this. Complaints of fail-over to normal connection if VPN crashes/disconnects, firewall rules to prevent fail-over ( configure a local firewall to disallow outbound traffic not originating from the OpenVPN process ) Find an OpenVPN client that supports running scripts on disconnection, Write a script which disables your ethernet interface on disconnection, I'm hoping someone here could shed some light ( if possible ) for this... But I believe that some clients have a feature like this built in. ( PrivateInternetAccess )

Yes. my current vpn client has a rudimentary killswitch. But it's not an open source client (albeit based on openVPN)

I guess you kinda have no choice but to implement SOME form of firewall. You either need to check each packet if it's about to go through the VPN or not (which the firewall can't know, right? because your vpn IP/location is not set in stone), or need to check if something happened to the VPN program/connection and if so, stop all network connections.

Also you need to start windows with all connections guaranteed forced off until vpn connects.

..And on Android it's the same, no killswitch. And on top of that you get the Android vpn protocol which is 100% unreliable for privacy as it can itself drop or leak in various situations.

I wonder if at least somebody figured it out reliably for Linux?

through scripts and the like it is possible. I do have some things I could post.. ( try at your own risk )

This is one possible implementation I've seen

This is a Docker project so some tweaking is needed, but the idea is:

  • Run Openvpn as specific group ("vpn" in this case)
  • Allow all traffic out of tun and tap interfaces
  • Allow all DNS traffic
  • Allow all traffic by the vpn group, or where destination port is 1194