A kill switch is crucial when using a VPN like Astrill VPN to prevent data leaks if the VPN connection drops. This configuration focuses on OpenVPN, a popular protocol supported by Astrill VPN. The goal is to ensure that all network traffic is blocked if the Astrill VPN OpenVPN connection is interrupted.
This setup assumes a basic understanding of Linux networking and OpenVPN client configuration. The core idea is to restrict all traffic to the OpenVPN tunnel interface and block traffic if that interface disappears. We use iptables to manage firewall rules.
First, create or modify your OpenVPN client configuration file (e.g., astrill.ovpn). Add the following options:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
Next, create a script named /etc/openvpn/killswitch.sh with the following content:
#!/bin/bash
# Interface name (replace tun0 if needed)
INTERFACE="tun0"
# Network interface name (e.g., eth0, wlan0)
NETWORK_INTERFACE="eth0"
# Your local subnet
LOCAL_SUBNET="192.168.1.0/24"
case "$1" in
up)
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow established/related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow traffic on the local network
iptables -A INPUT -i "$NETWORK_INTERFACE" -s "$LOCAL_SUBNET" -j ACCEPT
iptables -A OUTPUT -o "$NETWORK_INTERFACE" -d "$LOCAL_SUBNET" -j ACCEPT
# Allow DNS resolution
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# Allow OpenVPN tunnel
iptables -A OUTPUT -o "$INTERFACE" -j ACCEPT
iptables -A INPUT -i "$INTERFACE" -j ACCEPT
# Block all other outgoing traffic
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
;;
down)
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
;;
esac
exit 0
Make the script executable: chmod +x /etc/openvpn/killswitch.sh.
Finally, modify the OpenVPN configuration file (astrill.ovpn) to call the script:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
up /etc/openvpn/killswitch.sh up
down /etc/openvpn/killswitch.sh down
The script allows DNS resolution (UDP port 53). Ensure your /etc/resolv.conf is properly configured, or let Astrill VPN manage it via update-resolv-conf. The routing is implicitly handled by forcing all traffic through the tun0 interface when the VPN is up.
Start the Astrill VPN OpenVPN connection.
Verify your public IP address has changed.
Disconnect the OpenVPN connection (e.g., sudo killall openvpn).
Attempt to access the internet. It should be blocked.
Reconnect the Astrill VPN OpenVPN connection. Internet access should be restored.
Adjust the INTERFACE, NETWORK_INTERFACE, and LOCAL_SUBNET variables in the script to match your system.
This configuration is a basic example. You might need to adjust it based on your specific needs.
Consider using a more persistent firewall solution like ufw or firewalld for a more robust setup. However, this example uses iptables for clarity and simplicity.
Always test the kill switch thoroughly after making any changes.
The update-resolv-conf script is provided by the openvpn package on most Linux distributions.