What I wanna do is to have the internet connection disabled completely when the VPN connection goes down. I am connecting to my VPN (privatevpn.com) through Viscosity.

I have tried everything in the book. I have tried to have a disconnect scripts in Viscosity, but they never trigger, or trigger inconsistently and leave my connection vulnerable. I also tried routing tricks in Viscosity but it doesnt work either.

On my Ubuntu machines I have a solution that works perfectly, I use ufw rules to control the firewall. In order to connect to my VPN I need to disable UFW, and then once the VPN have connected I enable UFW, and it keeps the connection tight from leaking.

There is something called pf on Mac. I might be able to configure pf to work the same way as my ufw rules work, but I don´t understand how to configure it.

Here are my UFW rules I would like to run on the Mac as well, maybe someone can help me to configure pf to use the same rules?

Status: active Logging: on (low) Default: deny (incoming, deny (outgoing), disabled (routed) New profiles: skip

To Action From Anywhere ALLOW IN 193.180.119.0/24 Anywhere ALLOW OUT 193.180.119.0/24

John Schlong

Posted 2016-10-02T01:10:47.163

Reputation: 31

No Mac networking experts around? – John Schlong – 2016-10-07T12:15:02.397

Answers

The best thing I have found is to use PF available on mac os X, after you connect to your VPN provider just need to change the IP.

Create a file ~/killswitch/pf.conf containing this

# Options
set block-policy drop
set ruleset-optimization basic
set skip on lo0

# Interfaces
wifi = "en1"
vpn = "utun1"

# Block everything
block out all
block in all

# Outbound: Allow only VPN 
pass out on $wifi proto {tcp, udp} from any to 81.171.71.XX

# Allow traffic for VPN
pass out on $vpn all

Double check your interfaces, in my case en1 is the WiFi and uten1 the VPN tunnel.

Change 81.171.71.XX to the IP you get when you connect.

enable pf

$ sudo pfctl -e

Load the rules:

$ sudo pfctl -Fa -f /path/to/pf.conf

Disable pf:

$ sudo pfctl -d

I had to implement this due to a issue with ipvanish, mainly because the application was crashing making the VPN to go down and traffic was back to the default, none encrypted route.

update

You can give a try to killswitch it can do all this for you automatically.

nbari

Posted 2016-10-02T01:10:47.163

Reputation: 193

OK thanks, I ended up using AirVPN client for Mac OS X, and it works out of the box. Just in case someone wanna save some time in the future. – John Schlong – 2017-01-08T01:49:54.317

1I just tried killswitch on macOS 10.12.6 and it works perfectly. Install with brew install killswitch. If it fails, try first brew tap vpn-kill-switch/killswitch and then install. In this way, it might fail to download the bottle, but it will then compile from source for you. – iled – 2018-07-30T05:47:53.510

Could this script do the trick?

#!/bin/bash

while true 
do
  result=$(scutil --nc list | grep Connected)
  if [ -z "$result" ]; then
     killall Transmission
     exit
  fi 
done

plopper

Posted 2016-10-02T01:10:47.163

Reputation: 1

How to make a VPN kill-switch for mac OS X

Answers

update