How to Set Up a VPN Kill Switch in Debian 12 Bookworm

Learn how to set up a VPN kill switch on Debian 12 Bookworm.

by İbrahim Korucuoğlu ( @siberoloji) | Sunday, April 06, 2025

Introduction

Using a VPN (Virtual Private Network) enhances your privacy and security by encrypting your internet connection and masking your IP address. However, if your VPN connection drops unexpectedly, your real IP address could be exposed. To prevent this, you need a VPN kill switch—a mechanism that blocks internet traffic when the VPN disconnects.

In this guide, we will walk you through the process of setting up a VPN kill switch on Debian 12 Bookworm. We will explore different methods, including using firewall rules (iptables/nftables) and NetworkManager to enforce the kill switch.

Prerequisites

Before proceeding, ensure you have the following:

A Debian 12 Bookworm system with administrative (root or sudo) access.
A configured and working VPN connection (OpenVPN or WireGuard).
Basic familiarity with terminal commands.

Method 1: Using iptables to Create a VPN Kill Switch

iptables is a powerful Linux firewall utility that can enforce strict rules on network traffic. We will configure it to allow internet access only through the VPN tunnel.

Step 1: Find Your VPN Interface

Once your VPN is connected, run the following command to check the network interfaces:

ip a

Look for an interface associated with your VPN. Common names include tun0 (OpenVPN) or wg0 (WireGuard).

Step 2: Create iptables Rules

Now, we will create rules that allow traffic only through the VPN interface and block all other outgoing connections.

sudo iptables -F
sudo iptables -X
sudo iptables -P OUTPUT DROP
sudo iptables -A OUTPUT -o lo -j ACCEPT
sudo iptables -A OUTPUT -o tun0 -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Step 3: Save and Apply Rules

To ensure these rules persist after a reboot, install the iptables-persistent package:

sudo apt install iptables-persistent

Save the rules:

sudo netfilter-persistent save
sudo netfilter-persistent reload

Now, if the VPN connection drops, your internet traffic will be blocked automatically.

Method 2: Using nftables (Recommended for Modern Systems)

Debian 12 uses nftables as the default firewall, replacing iptables. Here’s how to set up a VPN kill switch using nftables.

Step 1: Check and Enable nftables

Ensure that nftables is installed and enabled:

sudo apt install nftables
sudo systemctl enable nftables
sudo systemctl start nftables

Step 2: Create nftables Rules

Open the configuration file:

sudo nano /etc/nftables.conf

Add the following rules:

table inet vpn_kill_switch {
    chain output {
        type filter hook output priority 0;
        iifname lo accept
        iifname tun0 accept
        ct state established,related accept
        drop
    }
}

Step 3: Load and Save Rules

Run the following commands to apply and save the rules:

sudo nft -f /etc/nftables.conf
sudo systemctl restart nftables

Now, your internet connection will be blocked if the VPN interface goes down.

Method 3: Configuring a Kill Switch with NetworkManager

NetworkManager provides an easier way to enforce VPN-only traffic using its built-in settings.

Step 1: Enable VPN Auto-Connect

Ensure your VPN connection is configured in NetworkManager. Then, enable auto-connect:

nmcli connection modify "Your-VPN-Connection" connection.autoconnect yes

Step 2: Set Up the Kill Switch

Edit the VPN connection profile:

nmcli connection modify "Your-VPN-Connection" vpn.persistent yes

Then, configure NetworkManager to block internet traffic if the VPN disconnects:

nmcli connection modify "Your-VPN-Connection" vpn.secrets "kill-switch=yes"

Restart NetworkManager:

sudo systemctl restart NetworkManager

Now, NetworkManager will ensure that your system only connects to the internet when the VPN is active.

Testing Your VPN Kill Switch

To verify that your kill switch is working:

Check IP Before and After VPN Connection:
```
curl ifconfig.me
```
Note your public IP.
Disconnect VPN and try to access the internet.
- If the kill switch is working, you should not be able to browse websites or access any online services.

Conclusion

Setting up a VPN kill switch on Debian 12 Bookworm enhances your security by preventing accidental exposure of your real IP address when your VPN connection drops. Depending on your preference, you can use iptables, nftables, or NetworkManager to achieve this.

By following this guide, you can ensure that your internet traffic remains secure and private at all times. If you have any questions or encounter any issues, feel free to consult Debian’s official documentation or community forums for further assistance.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

< How to Prevent Unauthorized Sudo Access in Debian 12 Bookworm How to Secure the `/tmp` Directory in Debian 12 Bookworm >