This is what I follow and use ProtonVPN or any VPN on Linux (albeit with less flexibility but with certainty):
Wireguard VPN via Terminal with Killswitch:
- Download config file
- Open config file
- Add the following under “Interface” section:
> PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
> PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
- Save file
- Add file in folder:
admin:///etc/wireguard - Enter this in terminal:
systemctl enable wg-quick@config-file-name - Enter system password to authenticate when prompted
- Start VPN:
sudo wg-quick up config-file-name - Reboot system with
rebootorsystemctl reboot
Now you have Wireguard VPN (with any service of your choice) with killswitch enabled that blocks all internet traffic and ensures all traffic goes through that encrypted tunnel as soon as OS connects to the internet and starts transmitting.
Follow Mullvad and Proton support website for more details: