4

What I wanna do is to have the internet connection disabled completely when the VPN connection goes down. I am connecting to my VPN (privatevpn.com) through Viscosity.

I have tried everything in the book. I have tried to have a disconnect scripts in Viscosity, but they never trigger, or trigger inconsistently and leave my connection vulnerable. I also tried routing tricks in Viscosity but it doesnt work either.

On my Ubuntu machines I have a solution that works perfectly, I use ufw rules to control the firewall. In order to connect to my VPN I need to disable UFW, and then once the VPN have connected I enable UFW, and it keeps the connection tight from leaking.

There is something called pf on Mac. I might be able to configure pf to work the same way as my ufw rules work, but I donĀ“t understand how to configure it.

Here are my UFW rules I would like to run on the Mac as well, maybe someone can help me to configure pf to use the same rules?

Status: active Logging: on (low) Default: deny (incoming, deny (outgoing), disabled (routed) New profiles: skip

To Action From Anywhere ALLOW IN 193.180.119.0/24 Anywhere ALLOW OUT 193.180.119.0/24

John Schlong
  • 41

2 Answers2

7

The best thing I have found is to use PF available on mac os X, after you connect to your VPN provider just need to change the IP.

Create a file ~/killswitch/pf.conf containing this

# Options
set block-policy drop
set ruleset-optimization basic
set skip on lo0

# Interfaces
wifi = "en1"
vpn = "utun1"

# Block everything
block out all
block in all

# Outbound: Allow only VPN 
pass out on $wifi proto {tcp, udp} from any to 81.171.71.XX

# Allow traffic for VPN
pass out on $vpn all

Double check your interfaces, in my case en1 is the WiFi and uten1 the VPN tunnel.

Change 81.171.71.XX to the IP you get when you connect.

enable pf 

$ sudo pfctl -e

Load the rules:

$ sudo pfctl -Fa -f /path/to/pf.conf

Disable pf:

$ sudo pfctl -d

I had to implement this due to a issue with ipvanish, mainly because the application was crashing making the VPN to go down and traffic was back to the default, none encrypted route.

update

You can give a try to killswitch it can do all this for you automatically.

nbari
  • 323
0

Could this script do the trick?

#!/bin/bash

while true 
do
  result=$(scutil --nc list | grep Connected)
  if [ -z "$result" ]; then
     killall Transmission
     exit
  fi 
done
Toto
  • 19,304
plopper
  • 1