Setting Up A Kill Switch WireGuard VPN

Part 1: Instructional Guide

This tutorial will guide you through setting up a WireGuard VPN on an Ubuntu / Linux Mint System, featuring a kill switch that completely stops all internet traffic if the VPN connection drops. This configuration is ideal for ensuring maximum security and privacy.

Prerequisites

• An Ubuntu / Linux Mint system
• sudo or root access
• WireGuard installed (install using sudo apt install wireguard)

Step 1: Prepare the WireGuard Configuration

Create a WireGuard configuration file named wg0.conf in /etc/wireguard/. The configuration includes settings for the kill switch using iptables and custom routing policies. Below is your detailed configuration:

Note the DNS line, uncomment and add your prefered DNS provider be it your VPN provider, google 8.8.8.8 or otherwise. If you run a local DNS service like unbound you can keep it commented out.

[Interface]
PrivateKey = <your-private-key>
Address = 10.2.0.2/32
#DNS = 127.0.0.1
FwMark = 51820
Table = 51820

PostUp = ip rule add not fwmark 51820 table 51820; ip rule add table main suppress_prefixlength 0; ip route del blackhole 0.0.0.0/0 || true; iptables -A OUTPUT -d 192.168.0.0/16 -j DROP; iptables -A OUTPUT -d 172.16.0.0/12 -j DROP; iptables -A OUTPUT -d 10.0.0.0/8 -j DROP; iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
PreDown = ip rule del not fwmark 51820 table 51820; ip rule del table main suppress_prefixlength 0; ip route add blackhole 0.0.0.0/0 || true; iptables -D OUTPUT -d 192.168.0.0/16 -j DROP; iptables -D OUTPUT -d 172.16.0.0/12 -j DROP; iptables -D OUTPUT -d 10.0.0.0/8 -j DROP; iptables -D INPUT -p icmp --icmp-type echo-request -j DROP

[Peer]
PublicKey = <peer-public-key>
Endpoint = <peer-endpoint>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Replace placeholders with your actual private key, peer public key, and peer endpoint.

Step 2: Enable WireGuard Service

Ubuntu comes with a service template for WireGuard. Check if the [email protected] template exists:

ls -l /lib/systemd/system/[email protected]

If present, proceed to create a systemd link to manage your wg0 configuration as a service:

sudo ln -s /lib/systemd/system/[email protected] /etc/systemd/system/[email protected]

Step 3: Start and Enable the Service

Start the WireGuard service for the wg0 interface and ensure it is enabled to start on boot:

sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0

To start and stop the WireGuard VPN connection manually, use the wg-quick up wg0 and wg-quick down wg0 commands:

sudo wg-quick up wg0
sudo wg-quick down wg0

These command activates the wg0 interface based on the settings specified in /etc/wireguard/wg0.conf. It will also apply the PostUp rules to ensure all traffic is routed through the VPN, enabling the kill switch mechanism.

Step 4: Verify the Kill Switch Functionality

To test if the kill switch is working, try to access the internet with the WireGuard VPN down. If the configuration is correct, you should not be able to access the internet.

Step 5: Check the Status

You can check the status of your WireGuard service to ensure it’s active and running:

sudo systemctl status wg-quick@wg0

Step 6: Split Tunnel

If you would like local network access to your NAS while still having your internet traffic sent to the wireguard vpn you should remove the iptables commands in the PostUp and PreDown sections.
Make sure you bring down your wireguard network before applying these changes otherwise your routing tables will have residual rules.

PostUp = ip rule add not fwmark 51820 table 51820; ip rule add table main suppress_prefixlength 0; ip route del blackhole 0.0.0.0/0 || true; 
PreDown = ip rule del not fwmark 51820 table 51820; ip rule del table main suppress_prefixlength 0; ip route add blackhole 0.0.0.0/0 || true; 

Conclusion To Part 1

Your WireGuard VPN is now set up with a robust kill switch. This configuration prevents any traffic leakage, ensuring that all data traffic is securely tunneled through WireGuard.

With the split tunnel approach you have the option of unlocking access to your local network if you want to access your NAS or printer services while keeping your internet traffic encrypted.

For further reading and advanced configuration options, refer to the WireGuard documentation and man pages (man wg and man wg-quick).

Part 2: Deep Dive, Understanding the Technical Foundations of the WireGuard Configuration

In this section of the tutorial, we’ll explore the theoretical underpinnings of the WireGuard configuration settings that enable the kill switch functionality, ensuring that your device maintains privacy and security by preventing any data leaks if the VPN connection drops.

Understanding Key Configuration Terms

1. FwMark (Firewall Mark)

• Purpose: FwMark is a marker used to tag packets for specific handling by the firewall and routing rules. In WireGuard, it’s used to distinguish VPN traffic from regular traffic.
• Application: In your config, FwMark = 51820 is used to apply special routing rules to packets marked with this number.

2. Table

• Purpose: The Table directive specifies a separate routing table where specific routes are added. This helps in managing VPN traffic independently of the main routing table.
• Application: Table = 51820 ensures that all VPN-marked traffic uses a custom routing table (table number 51820), isolating it from default routes.

How Routing Works with WireGuard

Routing rules define how packets are forwarded by the operating system. By manipulating these rules, you can control how data is routed through the VPN and ensure it does not revert to the default gateway if the VPN connection is lost.

• ip rule add Commands: These commands add rules to direct marked traffic (FwMark=51820) into the specified routing table (51820). This segregation helps manage what happens to the traffic when it enters or leaves the VPN.
• Suppressing Routes: The command ip rule add table main suppress_prefixlength 0 prevents the main table’s routes from interfering with our specified rules, ensuring that only the designated routes in table 51820 handle the VPN traffic.

Implementing a Kill Switch

The “kill switch” is designed to prevent any access to the internet outside the VPN tunnel. Here’s how it’s configured:

PostUp Commands: These are executed when the VPN interface comes up.

• Deleting Default Route: ip route del blackhole 0.0.0.0/0 ensures that if the VPN fails, there is no default route for the traffic to escape, effectively disabling all internet traffic.
• Firewall Rules: Using iptables, the configuration prevents all outgoing connections except through the VPN. It blocks access to local networks and drops all inbound ICMP packets (used in pinging), enhancing stealth and security.

PreDown Commands: These commands are executed right before the VPN interface goes down.

• Restoring Connectivity: Commands like ip route add blackhole 0.0.0.0/0 are used to reinstate the blackhole route, ensuring that when the VPN disconnects, no accidental data leaks occur.

The Role of PersistentKeepalive

• Purpose: This setting helps maintain the VPN connection in environments with NAT by sending keepalive packets at set intervals.
• Application: PersistentKeepalive = 25 ensures that the tunnel remains active and prevents the connection from timing out due to inactivity, which is crucial for maintaining the integrity of the kill switch.

Conclusion To Part 2

By understanding these components and their interactions, you can see how your configuration not only secures the data but also provides a fail-safe mechanism to handle scenarios where the VPN might unexpectedly disconnect. This theoretical knowledge reinforces the practical steps taken in setting up the VPN and ensures you have a robust setup on your Linux machine.