You are not logged in.
- Topics: Active | Unanswered
#1 2022-05-28 13:03:41
- boarim
- Member
- Registered: 2022-05-28
- Posts: 18
- Website
Difficulties setting up a kill switch for Wireguard with nftables
I use Mullvad VPN with just the bare Wireguard configuration files and I would like to set up a kill switch feature so that when the VPN connection goes down for whatever reason, my connection is automatically blocked; this in order to prevent leakages about my Internet activity.
They do provide this when using their software. However, I am doing my best to keep my system minimal and use already installed software if I can. Therefore, I have been using this VPN service by importing their Wireguard configuration files in NetworkManager, which is working pretty well so far.
Now, their documentation provides a way to add this kill switch feature in the Wireguard configuration file with some PostUp and PreDown directives. However, these use iptables and wireguard-tools. On my system, I do not use these; nftables and networkmanager are used instead.
I tried to translate the iptables directives into nftables ones with iptables-translate. However, since I am not using wireguard-tools either—and it is not installed—the directives obviously did not work.
I also contacted their support, but they did not want to help, telling me that I should use their software.
How could I adapt their solution in the documentation to my use case (relying on nftables and NetworkManager only)?
Simplicity is the ultimate sophistication. — Leonardo da Vinci (1452–1519)
Offline
#2 2022-05-28 13:24:06
- -thc
- Member
- Registered: 2017-03-15
- Posts: 775
Re: Difficulties setting up a kill switch for Wireguard with nftables
You should be able to use the NetworkManager-dispatcher to command nftables via scripts to do this.
Last edited by -thc (2022-05-28 13:28:26)
Offline
#3 2022-05-31 13:29:09
- boarim
- Member
- Registered: 2022-05-28
- Posts: 18
- Website
Re: Difficulties setting up a kill switch for Wireguard with nftables
Got it. I need more time to investigate and write a script.
However, I noticed that my Wireguard connection, once up, is not going down—unless I switch it manually—, even if my Wi-Fi connection disconnects. Therefore, I am wondering if writing a script for a kill switch is necessary. Practically speaking, it seems that the way NetworkManager handles Wireguard prevents network leakage and that a kill switch is unnecessary.
Simplicity is the ultimate sophistication. — Leonardo da Vinci (1452–1519)
Offline
#4 2022-05-31 15:04:28
- -thc
- Member
- Registered: 2017-03-15
- Posts: 775
Re: Difficulties setting up a kill switch for Wireguard with nftables
That depends on the behavior of NetworkManager when your Wi-Fi disconnects.
Since at its core a WireGuard connection is a virtual network adapter with configuration, addresses, MTU and routes it's somewhat "independent" of other (physical) network adapters.
If NetworkManager doesn't alter the routes on Wi-Fi disconnects to bypass WireGuard, you're good.
Offline