Configure a manual kill switch on macOS for Tunnelblick
- IP address of the VPN gateway you wish to setup for VPN kill switch.
For the purpose of this guide I am going to use PrivateVPN's OpenVPN-TUN-UDP server in Chennai, India bearing an IP address: 126.96.36.199.
In order to find out the IP address of VPN gateway, open https://privatevpn.com/serverlist/ and copy a server's hostname from Server Address column. Use host command in a terminal window followed by the hostname. Syntax for host command in this case would be:
$ host in-che.privatevpn.com in-che.privatevpn.com has address 188.8.131.52
- Changes in Client .ovpn configuration file as follows:
Open .ovpn configuration file in TextEdit, look for remote option and replace the hostname or servername therein with IP address as seen in the image below:
In order to setup kill switch or VPN firewall on Mac OS X or macOS, we are going to use a command line tool called pf.
Make sure you have sudo or root access before we start.
Let us begin by editing the configuration file of pf at /etc/pf.conf in a terminal window as follows:
# nano /etc/pf.conf
In order to block all the connections other than to IP of VPN gateway at a port using a particular protocol append pf.conf and add the following lines:
block drop all pass on lo0 pass on utun0 pass out proto udp from any to 184.108.40.206 port 1194
Save and exit.
Once you are done editing the file. Let us import the newly added rules as follows so that it persists on reboot:
# pfctl -f /etc/pf.conf
Let us turn on the firewall which is not ON by default as follows:
# pfctl -e
Once the pf is enabled. Congrats! Your VPN kill switch or firewall is active. No Internet connection is possible now other than via PrivateVPN’s OpenVPN server's IP 220.127.116.11 using UDP protocol at port 1194. So unless you connect to it, Internet access is completely denied.
Note: In recent version of OS X or macOS with Tunnelblick OpenVPN client, you might have unused utun interfaces which can be check from a terminal as follows:
So in case you already have an unused utun0 for example then change pass on utun0 in pf.conf to as follows:
pass on utun1
Or else you might get connected but won't be able to connect anywhere.