VPN kill switch - does NetworkManager suffice, or does firewalld come to the rescue?

inalone_1 · March 9, 2025, 2:40pm

Hello all,

Yesterday I transitioned my server over from Ubuntu Server to Fedora Server. I am LOVING it so far, but had one quick question regarding NetworkManager VPNs. I have added my Mullvad WireGuard .conf file to NetworkManager and it’s working perfectly with no leaks, but am worried about if something ever happened to that connection - would it kill all traffic, or would I unknowingly be exposing all my server traffic directly via my ISP?

I have found online some people talking about setting up their VPN configurations with the firewall to only allow traffic through certain network devices, which seems like a good plan, however I stumbled upon a forum post (How can I configure a killswitch for OpenVPN using firewalld? - #6 by vanadium - Fedora Discussion) in which someone says that simply adding a VPN config to NetworkManager is enough, and that contains an inherent killswitch. Is this true?

Thanks in advance,

KingZiptie · March 9, 2025, 2:40pm

You can’t block outbound traffic with firewalld. It’s “not necessary.” If you want to block outbound traffic (say, to create a leakproof VPN), you have to use iptables or ufw. Perhaps nftables too but I have no experience with it.

FWIW you mentioned Mullvad and a cursory web search shows they have a VPN application which also fails closed. The application is GUI and CLI based, and they provide a Fedora RPM for it.

The easiest way to do it without the app would be to use ufw- drop all in, drop all out, allow out to , allow all in/out over tun0 (or whatever the VPN interface is). This is like 4-5 commands for ufw…

miao909 · March 9, 2025, 2:40pm

Even if you don’t care about torrents, there are many good reasons someone would want to use a VPN kill switch. People can’t always trust their ISPs or governments and while Tor is faster than it used to be it’s blocked everywhere.