Best killswitch option for Mac?

[Guest]

Hi all, I was wondering what the preferred method is for protecting yourself when the VPN disconnects these days?

 

In the past I was using a combination of a disconnect script and routing setting in Viscosity however these options failed me today when my P2P client did not immediately shut down and the WiFi adapter was not disabled.

 

Script in question:
 

tell application "Transmission"
    quit
end tell

 

I know Eddie comes with "Network Lock" but I was hoping there were other methods I could use with Viscosity or other.

[rickjames 106]

On mac the network lock is using the PF firewall. The PF firewall on BSD anyway is Badass.

 

You could also looking into writing your own PF rules. Imo it's a very easy firewall to learn.

[Guest]

On mac the network lock is using the PF firewall. The PF firewall on BSD anyway is Badass.

 

You could also looking into writing your own PF rules. Imo it's a very easy firewall to learn.

 

Thanks for the tip. I've played around with Macs PF firewall before but I don't want to have to change firewall rules manually each time I fire up the VPN.

[rickjames 106]

The client network lock implements temporary PF firewall rules when active. Then restores the original rules when deactivated.

So if you don't want to futz with it, it's a quick and solid solution.

[Guest]

 

The client network lock implements temporary PF firewall rules when active. Then restores the original rules when deactivated.

So if you don't want to futz with it, it's a quick and solid solution.

Eddie is great for the network lock, but I use more than one VPN service so would like to find the best option with works for Viscosity.

 

Setting the default gateway to vpn_gateway and a route of 0.0.0.0 used to work brilliantly but I can only get this to work if I disconnect the VPN via Viscosity. It will not work if I disconnect the VPN from the AirVPN panel.

[rickjames 106]

What you're trying to do is really only moderately helpful if the vpn disconnects. And even then it's not instant, it would only take a few ms to spew out enough packets to cause issues. And it won't stop things like bad browser or application settings from leaking data.

 

I'm not familiar enough with Viscosity to say why your method isn't functioning.

You could submit a support ticket or wait a bit and see if anyone more familiar with Viscosity chimes in.

 

 

[perdomwx 0]

I use a firewall utility called Little Snitch to block access when the VPN disconnects. Within this app you can create different profiles. In my case, I created two profiles, one that denies access to the internet to all applications except Viscosity (OpenVPN). I created another one that has access to the web. These profiles automatically change depending on the status of the internet connection.

 

http://dafacto.com/2015/creating-a-kill-switched-vpn-on-mac-os-x-with-pia-and-little-snitch/

[tiger83052 4]

​I think using little snitch will be a good choice , you can see here : http://asciithoughts.com/posts/2014/02/15/using-little-snitch-to-prevent-internet-access-without-vpn/

[Guest]

For now I am using the scripting option. I would appreciate some feedback on the script.

 

Idea was to kill the network and Transmission.

 

do shell script "networksetup -setairportpower en0 off"

tell application "Transmission"
    quit
end tell

[realpageturner 0]

In my case Network Lock was overkill, as the only service I needed to drop without VPN was torrenting. A couple of times OpenVPN crashed for a day or two before I realized Transmissions was on my own public IP, and lo and behold I would find a copyright troll C&D notice from AT&T in my mailbox. My wife also wasn't pleased with abruptly losing all connectivity on that Mac whenever the VPN dropped.

Little Snitch works very well for this, particularly since I only use Transmission with one forwarded port. 

I created two profiles -- one when connected through OpenVPN, and one when not.

Then I allowed Transmission.app incoming and outgoing connections when then OpenVPN active profile was enabled, and denied those connections when OpenVPN was not active. Works great.

I set up the same process in Murus, mostly to see if it would help me learn pf better, but I already use Little Snitch on most of my Macs anyhow and it's always been rock solid and easy to understand.



 

[NinjaThunderbolt 4]

23 hours ago, realpageturner said:

A couple of times OpenVPN crashed for a day or two before I realized Transmissions was on my own public IP, and lo and behold I would find a copyright troll C&D notice from AT&T in my mailbox.

You can bind to the current internal AirVPN IPs in settings.json ("bind-address-ipv4" and "bind-address-ipv6" options).
You can also set "bind-address-ipv6" to "::1" if you want to make updating the file less annoying. Edited ... by NinjaThunderbolt
make what less annoying