OpenVPN Kill Switch



  • I have an OpenVPN client setup and running with pfSense, where pfSense is connecting to an OpenVPN server and routing all traffic through the VPN. Everything is working great. The issue that I have is that if the VPN drops, my connection is still connecting unencrypted. Is there a way to make it so that if the VPN drops, my internet cuts off until it's restarted?



  • configure your floating firewall rules accordingly so only VPN traffic can leave WAN. pass that out on WAN, block everything else.



  • Can you please link to a reference that a non-technical person can use to do this configuration?



  • I'd actually like to see a screenshot of how this is configured myself, if anyone can post one!



  • I am also very interested to know how this is set up, if someone could explain how to ensure that the only the VPN is allowed through he WAN that would be greatly appreciated. =)


  • LAYER 8 Netgate

    Firewall > Rules, Floating tab

    Action: Pass
    Disabled: unchecked
    Quick: checked
    Interface: WAN
    Direction: out
    TCP/IP Version: IPv4
    Protocol: UDP
    Source: any
    Destination: any
    Destination port range: 1194

    Then below that rule:

    Action: Reject
    Disabled: unchecked
    Quick: checked
    Interface: WAN
    Direction: out
    TCP/IP Version: IPv4
    Protocol: any
    Source: any
    Destination: any
    Destination port range: any

    That will allow outbound connections to any server on UDP 1194 and block everything else.  You could limit the destination IP to just your VPN server's IP with a destination of single host or alias.  Naturally, if you do not connect on UDP 1194 you will need to adjust the Pass rule.  You will not be able to resolve DNS or anything out WAN with these rules in place.  All traffic except UDP 1194 will be blocked.



  • Thank you very much. I got it working!



  • Ok so I thought it was working, well its half working.  So Im using UDP port 1126 for my VPN.  Anyways I realized that if I block any on protocol, my VPN cant connect for some reason even though pass UDP 1126 is the first rule.  Is there any reason why the openvpn would be using some other port/protocol to initiate connection?


  • LAYER 8 Netgate

    Is quick checked on the pass rule on UDP/1126 on WAN out?  The source should be any any, the dest should be any UDP/1126.  The dest IP address could optionally be your remote server IP address to further limit the rule.



  • Yes quick is checked on both the pass rule and the block rule.

    Here is a screenshot of both my rules.
    https://imgur.com/Z9ywGxZ,6vAzcwq#0

    The order on my floating rules is the Pass rule is on top, block rule is 2nd.

    Now the issue is if I turn off the block rule, then I can connect to my VPN, I can at that point re-enable the block rule and my VPN stays connected and all is good. But if the block rule is enabled and I lose my VPN connection and it needs to reconnect, it cannot do so.  I just dont want to have to manually come into pfsense each time it loses connection to turn on and off the firewall rules to reconnect.

    Does OpenVPN require some other port to do the initializing sequence or something?


  • LAYER 8 Netgate

    Like I said in my original post, you won't be able to do ANYTHING but connect to the VPN.  If you are using a hostname instead of IP address for the VPN server you probably won't be able to resolve it, etc.  You might very well have to pass some other things (like DNS) in order to get it to work.  I don't know how paranoid you are about DNS leakage, etc.  Most people seem to be all wrapped around the axle about it when it really doesn't matter if all you're trying to do is watch TV from another location.

    ETA: Note that the DNS servers used by the firewall and the DNS servers given to your client hosts to use don't have to be the same.  You could configure the rules to allow connections to your ISP DNS servers, and put those in the DNS server settings for pfSense to use (System > General Setup) but tell your client hosts to use DNS servers provided by your VPN provider.  The latter DNS servers would only be reachable if the VPN is up.



  • Ok so I have changed the VPN address to the IP address instead of the name.  It appears to allow connection now with the firewall rules in place.  Is there any disadvantage to using the actual IP rather then the name?  I used the DNS reverse lookup to find it and it appears there are 4 seperate IPs can all link to the same address. I just picked one.


  • LAYER 8 Netgate

    If they change IPs it will break.  I'd pass DNS correctly.  It could break all kinds of things eventually like downloading bogon table updates, upgrades, etc.  Your firewall should be able to resolve DNS.



  • @Derelict:

    If they change IPs it will break.  I'd pass DNS correctly.  It could break all kinds of things eventually like downloading bogon table updates, upgrades, etc.  Your firewall should be able to resolve DNS.

    exactly copy your openvpn rule and adjust it to work for DNS. pfsense webgui can/will go nuts without DNS :))



  • Will this configuration pass DNS outside of the VPN only for resolving the VPN host address when connecting to VPN (or when automatically re-connecting to VPN after an unplanned disconnection), and otherwise pass all other DNS through the VPN?



  • Hi,

    I don't like the floating rules trick because when the VPN goes down, it cannot reconnect anymore, blocked by the rule. But there is a workaround. Take a look at this post

    Go to Advanced and then Miscellaneous and down in Gateway Monitoring you'll see "Skip rules when gateway is down" which on my fresh 2.1 install is off by default. It has the following description.

    "By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down"

    So basically when the VPN Gateway is down it puts the rule in but with the default gateway ruining the whole point.

    This works for me :)



  • I want the kill switch, which kills outgoing connections if OpenVPN is not running, otherwise the VPN will not make any sense - if it turns off, and aggravate my real IP address will be released.
    My PC - Raspberry Pi is a 3 in this situation, and I am using OpenVPN via TCP, and will have fritz.box connected me to the WAN network.
    I also tested the scripts, but also did not work (I think it's the same error?).
    from here i got about this idea: https://www.vpnranks.com/vpn-with-kill-switch/





  • The router, by definition, must always have access to the internet, or else it would not be able to contact the VPN server to establish the tunnel in the first place. You might be able to construct firewall rules to limit outgoing traffic -- only allowing certain destination hosts, for example -- but it might end up causing lots of headaches.


Log in to reply