Help Center
WireGuard Kill Switch
To ensure no traffic leaks outside and your real IP address is revealed in case the WireGuard VPN tunnel accidentally goes down, you can set up the Kill Switch which is configured using the PostUp and PreDown WG syntax.
-
Open the WireGuard config file with any text editors:
$ sudo nano /etc/wireguard/wg0.conf -
Add the following two lines to the [Interface] section:
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT -
Here’s how the WG config file should look like afterwards:
[Interface] PrivateKey = abcdefghijklmnopqrstuvwxyz0123456789= Address = 172.x.y.z/32 DNS = 172.16.0.1 PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT [Peer] PublicKey = JPT1veXLmasj2uQDstX24mpR7VWD+GmV8JDkidkz91Q= Endpoint = us-tx1.wg.ivpn.net:2049 AllowedIPs = 0.0.0.0/0
Testing
-
One way to test a down tunnel is to delete the IP address from the WireGuard network interface, like this via the Terminal:
sudo ip a del [IP address] dev [interface]In this example, it’s possible to remove 172.x.y.z from the wg0 interface:
sudo ip a del 172.x.y.z/32 dev wg0The PostUP iptables rule from step 2 above restricts all traffic to the tunnel and all outgoing attempts to get traffic out fail. To gracefully recover from this, you will likely have to use the wg-quick command to take the connection down, then bring it back up.
Related Articles
- Autostart WireGuard in systemd
- Managing the IVPN Linux CLI client at System Boot
- IVPN on Qubes OS
- Linux - OBFS3 and OBFS4 Obfuscation with Obfsproxy to Circumvent Censorship
- Linux - Fedora Silverblue
Still have questions?
Get in touch and we'll get back to you in a few hours.
Contact supportInterested in privacy?
Read our latest privacy news and keep up-to-date on IVPN services.
Visit IVPN Blog