Jump to content
Not connected, Your IP: 3.235.65.91
digitaliscool

Best killswitch option for Mac?

Recommended Posts

Hi all, I was wondering what the preferred method is for protecting yourself when the VPN disconnects these days?

 

In the past I was using a combination of a disconnect script and routing setting in Viscosity however these options failed me today when my P2P client did not immediately shut down and the WiFi adapter was not disabled.

 

Script in question:
 

tell application "Transmission"
    quit
end tell

 

I know Eddie comes with "Network Lock" but I was hoping there were other methods I could use with Viscosity or other.

Share this post


Link to post

On mac the network lock is using the PF firewall. The PF firewall on BSD anyway is Badass.

 

You could also looking into writing your own PF rules. Imo it's a very easy firewall to learn.

Share this post


Link to post

On mac the network lock is using the PF firewall. The PF firewall on BSD anyway is Badass.

 

You could also looking into writing your own PF rules. Imo it's a very easy firewall to learn.

 

Thanks for the tip. I've played around with Macs PF firewall before but I don't want to have to change firewall rules manually each time I fire up the VPN.

Share this post


Link to post

The client network lock implements temporary PF firewall rules when active. Then restores the original rules when deactivated.

So if you don't want to futz with it, it's a quick and solid solution.

Share this post


Link to post

 

The client network lock implements temporary PF firewall rules when active. Then restores the original rules when deactivated.

So if you don't want to futz with it, it's a quick and solid solution.

Eddie is great for the network lock, but I use more than one VPN service so would like to find the best option with works for Viscosity.

 

Setting the default gateway to vpn_gateway and a route of 0.0.0.0 used to work brilliantly but I can only get this to work if I disconnect the VPN via Viscosity. It will not work if I disconnect the VPN from the AirVPN panel.

Share this post


Link to post

What you're trying to do is really only moderately helpful if the vpn disconnects. And even then it's not instant, it would only take a few ms to spew out enough packets to cause issues. And it won't stop things like bad browser or application settings from leaking data.

 

I'm not familiar enough with Viscosity to say why your method isn't functioning.

You could submit a support ticket or wait a bit and see if anyone more familiar with Viscosity chimes in.

 

 

Share this post


Link to post

I use a firewall utility called Little Snitch to block access when the VPN disconnects. Within this app you can create different profiles. In my case, I created two profiles, one that denies access to the internet to all applications except Viscosity (OpenVPN). I created another one that has access to the web. These profiles automatically change depending on the status of the internet connection.

 

http://dafacto.com/2015/creating-a-kill-switched-vpn-on-mac-os-x-with-pia-and-little-snitch/

Share this post


Link to post

For now I am using the scripting option. I would appreciate some feedback on the script.

 

Idea was to kill the network and Transmission.

 

do shell script "networksetup -setairportpower en0 off"

tell application "Transmission"
    quit
end tell

Share this post


Link to post

In my case Network Lock was overkill, as the only service I needed to drop without VPN was torrenting. A couple of times OpenVPN crashed for a day or two before I realized Transmissions was on my own public IP, and lo and behold I would find a copyright troll C&D notice from AT&T in my mailbox. My wife also wasn't pleased with abruptly losing all connectivity on that Mac whenever the VPN dropped.

Little Snitch works very well for this, particularly since I only use Transmission with one forwarded port. 

I created two profiles -- one when connected through OpenVPN, and one when not.

Then I allowed Transmission.app incoming and outgoing connections when then OpenVPN active profile was enabled, and denied those connections when OpenVPN was not active. Works great.

I set up the same process in Murus, mostly to see if it would help me learn pf better, but I already use Little Snitch on most of my Macs anyhow and it's always been rock solid and easy to understand.



 

Share this post


Link to post
Posted ... (edited)
23 hours ago, realpageturner said:

A couple of times OpenVPN crashed for a day or two before I realized Transmissions was on my own public IP, and lo and behold I would find a copyright troll C&D notice from AT&T in my mailbox.


You can bind to the current internal AirVPN IPs in settings.json ("bind-address-ipv4" and "bind-address-ipv6" options).
You can also set "bind-address-ipv6" to "::1" if you want to make updating the file less annoying. Edited ... by NinjaThunderbolt
make what less annoying

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...