This guide details configuring a robust kill switch on a MikroTik router to prevent data leaks when your HideIPVPN connection drops. We will use nftables for firewall rules.
A working HideIPVPN connection configured on your MikroTik router (WireGuard or OpenVPN).
Basic familiarity with MikroTik RouterOS.
RouterOS v7 or later (for nftables).
These steps create a firewall that only allows traffic through the HideIPVPN tunnel.
Identify the VPN Interface: Determine the name of your VPN interface (e.g., wireguard1, openvpn-client).
Create Address Lists: Create lists for allowed local network and VPN server IPs.
/ip/firewall/address-list
add address=192.168.88.0/24 list=local_network comment="Your LAN"
add address=10.10.10.10 list=vpn_server comment="HideIPVPN Server IP"
Replace 192.168.88.0/24 with your local network and 10.10.10.10 with your HideIPVPN server IP.
Create nftables Rules: Use the following commands to create the firewall rules.
/routing/filter
add chain=forward action=accept comment="Allow established/related connections" connection-state=established,related
add chain=forward action=drop comment="Drop all other forward traffic"
add chain=forward action=accept comment="Allow LAN to VPN" src-address-list=local_network out-interface=wireguard1
add chain=forward action=accept comment="Allow VPN to LAN" in-interface=wireguard1 dst-address-list=local_network
add chain=forward action=accept comment="Allow DNS to VPN" dst-port=53 protocol=udp out-interface=wireguard1
add chain=forward action=accept comment="Allow DNS to VPN" dst-port=53 protocol=tcp out-interface=wireguard1
add chain=forward action=accept comment="Allow HideIPVPN traffic" dst-address-list=vpn_server out-interface=ether1
add chain=forward action=drop comment="Drop all other traffic"
Replace wireguard1 with your actual VPN interface name. Replace ether1 with your WAN interface.
Protect Against DNS Leaks: Force all DNS traffic through the VPN.
/ip/firewall/nat
add chain=dstnat dst-port=53 protocol=udp action=dstnat to-addresses=10.10.10.10 to-ports=53 comment="Redirect DNS UDP to VPN"
add chain=dstnat dst-port=53 protocol=tcp action=dstnat to-addresses=10.10.10.10 to-ports=53 comment="Redirect DNS TCP to VPN"
Replace 10.10.10.10 with the DNS server IP provided by HideIPVPN or a public DNS server reachable via the VPN.
Disable Direct WAN Access: Ensure no traffic bypasses the VPN tunnel.
Remove any existing default routes that point directly to your WAN interface.
Ensure the only default route is provided by the HideIPVPN connection.
Verify VPN Connection: Ensure the VPN connection is active before testing.
Test with VPN Active: Browse the internet to confirm connectivity through the VPN.
Simulate VPN Disconnect: Disable the VPN interface. All internet traffic should cease.
Incorrect Interface Names: Double-check interface names for accuracy.
Missing Address Lists: Ensure the address lists are correctly populated.
Routing Conflicts: Resolve any routing conflicts that might bypass the kill switch.
Firewall Rule Order: Ensure the "drop all other traffic" rule is the last rule in the chain.
VPN interface name verified.
Local network and VPN server IPs added to address lists.
nftables rules configured correctly.
DNS redirection enabled.
Direct WAN access disabled.
Kill switch functionality tested by disabling the VPN interface.