Any way to add a VPN killswitch to network manager?

I recently switched from Fedora KDE to the immutable version Kinoite. It’s been a pretty seamless switch except for issues with my VPN client. It simply doesn’t work and I’ve had to resort to importing VPN configs to the network manager which I’m fine with. Only thing I wish I still had is a killswitch to ensure no connections are made with my real IP. Is there any way to do this with network manager, or any clients I can install and add my configs to which have a killswitch built in? Appreciate any help!

1 Like

I have always found the apparent lack of a VPN kill switch in Linux distributions surprising, so I’ll be very interested to see if anyone can give a direct answer to your question.

It’s not answering your question, but I’ve always had to resort to playing games with the firewall to disallow traffic not passing through the VPN. You can probably find some hints on this on the web appropriate to your own setup (assuming you’re not doing this already), but FWIW here’s an example from IVPN.

2 Likes - wireguard kill switch guide

1 Like

Doing it at the firewall level rather than within the VPN client (whether that’s nm or the provider’s custom client) is the “correct”/best way to do it though.

You can always use iptables like many guides suggest. It’s also trivial with more user-friendly firewalls like ufw… basically all you have to do is block all network traffic, allow network traffic to the VPN’s IP, and then allow network traffic through the VPN interface. Whichever firewall you prefer it shouldn’t take more than 4-5 commands, for example:

sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw allow out to [VPN IP] port [VPN Port] proto udp
sudo ufw allow out on tun0 from any to any

I think you should ask for help in the Fedora forum, maybe.

VPN but which protocol are you talking about? The use of OpenVPN and WireGuard protocols are popular on personal computers. The kill-switch applies to OpenVPN and works with a series of iptables/firewall commands. The working principle of the protocol is different from OpenVPN as WireGuard is a type of connection between peers and therefore does not need any kill-switch. If this is incorrect information, please warn me and share the correct information.

Also, when I did a search about this on the Fedora forum, I found this.

As @jonah alluded to, doing it at the level of the firewall is the more certain and dependable way in my eyes.

The firewall included in Fedora is called firewalld. You can set up firewall rules to using this. Its not quite as simple and intuitive as ufw, it has some more complex concepts, but it is totally doable, and I think there are some tutorials.

firewald and ufw are frontends, there is this guide that uses nftables, which is available everywhere.

A similar issue was discussed in the Fedora forum. When the connection of a WireGuard client, to which all traffic is routed, goes down, it naturally gets the kill switch function, unless it is manually disabled.

NetworkManager preserves the WireGuard interface and its default route even when the server is down or unreachable which effectively provides a routing based kill switch OOTB.

For other VPN protocols that connect to a VPN server and authenticate, this is invalid and extra settings are required for the kill switch function.

You could experiment with usage of Network Manager’s dispatcher service (/etc/NetworkManager/dispatcher.d/)


INTERFACE="eth0" # replace with your primary interface name
VPN_CONNECTION_NAME="myvpn" # replace with your VPN connection name

# Get the UUID of the VPN connection
VPN_UUID=$(nmcli -t -f uuid con show "$VPN_CONNECTION_NAME")

# Check if the affected connection is the VPN and if it's down
if [ "$CONNECTION_UUID" == "$VPN_UUID" ] && [ "$2" == "down" ]; then
    # Disconnect the primary network interface
    nmcli device disconnect "$INTERFACE"