VPN Protocol Question: Why can't Wireguard itself provide killswitch capabilities?

Title.

Why can’t Wireguard config files with the Wireguard app provide kill switch capabilities on macOS and Windows?

On macOS, the Wireguard app hasn’t been updated in a while and I wonder why or if there really was no need to.

Is there a technical reason for why there is no built in kill switch with Wireguard? Please explain if you know or are technical enough - but in a way a tech savvy person can understand. I am very tech savvy not technical or a developer to fathom esoteric lexicon associated with this subject matter.

Thanks!

1 Like

On My Windows laptop using WireGuard native app has a kill switch option ticked off , and I think on macOS has on-Demand using the native app.

As long as the WireGuard client is active, all traffic routed to the client will continue to be encrypted and sent to the destination WireGuard endpoint, regardless of whether the endpoint server is active or not. If the configuration on the endpoint server is still valid, it will accept encrypted traffic from the client, if the configuration on the server is no longer valid or the server is not active, it will not be able to accept encrypted traffic from the client and no connection will be established between the WG client and the WG server. In this scenario, the traffic routed to the WG client should not leak. Have you had any experience to the contrary?

2 Likes

I know you can set up a kill switch on Linux via the terminal. And I have done that. I was more thinking/asking for macOS and Windows.

So, as far as I understand - no “killswitch” strictly but all traffic should still go through the client nonetheless? So, is there no chance for traffic to go outside of it in any circumstance?

No, or not that I know of but I am asking to learn why no actual killswitch capability when other VPN apps can offer.

The protocol should work the same on other OSs. The reason why the quote in my previous post is about Linux is because I mentioned the same subject in another thread about Linux. If you read the Fedora forum thread in my quoted message, you will see that they explain the WireGuard and kill switch relation without going into technical details.

Manipulate the endpoint address or port number in any WG configuration file, activate the client and try to access the internet in any web browser. You probably will not be able to access the internet as there is no connection between the client and the endpoint. Check the connections established by your device in the webui of your router or use programs like Wireshark. I guess this way you can find out if the traffic is leaking out of the WireGuard tunnel.

1 Like

I see. Thank you for the explanation. I’ll try that out.

1 Like