Linux - WireGuard Kill-switch

    To ensure no traffic leaks outside and your real IP address is revealed in case the WireGuard VPN tunnel accidentally goes down, you can set up the Kill-switch which is configured using the PostUp and PreDown WG syntax.

    1. Open the WireGuard config file with any text editors:

      $ sudo nano /etc/wireguard/wg0.conf
      
    2. Add the following two lines to the [Interface] section:

      PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
      PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
      
    3. Here’s how the WG config file should look like afterwards:

      [Interface]
      PrivateKey = abcdefghijklmnopqrstuvwxyz0123456789=
      Address = 172.x.y.z/32
      DNS = 172.16.0.1
      PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
      PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
      [Peer]
      PublicKey = JPT1veXLmasj2uQDstX24mpR7VWD+GmV8JDkidkz91Q=
      Endpoint = us-tx1.wg.ivpn.net:2049
      AllowedIPs = 0.0.0.0/0
      

    Testing

    1. One way to test a down tunnel is to delete the IP address from the WireGuard network interface, like this via the Terminal:

      sudo ip a del [IP address] dev [interface]
      

      In this example, it’s possible to remove 172.x.y.z from the wg0 interface:

      sudo ip a del 172.x.y.z/32 dev wg0
      

      The PostUP iptables rule from step 2 above restricts all traffic to the tunnel and all outgoing attempts to get traffic out fail. To gracefully recover from this, you will likely have to use the wg-quick command to take the connection down, then bring it back up.



    Related Articles

    Still have questions?

    Get in touch and we'll get back to you in a few hours.

    Contact support

    Interested in privacy?

    Read our latest privacy news and keep up-to-date on IVPN services.

    Visit IVPN Blog
    Spotted a mistake or have an idea on how to improve this page?
    Suggest an edit on GitHub.