Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Creating a kill switch for the OSX VPN client Network
I live in China so I have to use VPN all the time if I want any kind of stable connection to sites in the west. Unfortunately the VPN will at times randomly disconnect and then all traffic will immediately start going over chinese Internet again. While this is not a big deal really, I would just prefer not to be logged in to Facebook or Gmail and have my traffic open to be sniffed by the great firewall. It also occurred to me that many people use VPNs in the states in order to safely torrent.

I know some VPN providers have 'Internet kill switches' for their VPN that will cut your Internet connection incase of a disconnect and make sure you are not leaking anything. The problem with these is that they are almost all using openVPN, while I use L2TP over IPSec for my VPN. I searched for a long time for a way to do this and could not find one so I thought of a way to do it on my own. The following is how I set my system up. Please keep in mind that I am not an experienced Terminal user or power user so if anyone knows of a better way to do this please let me know.

The first thing you need to do is set up the order of your network services and disable 'Send all traffic over VPN connection.' Go to System Preferences » Network and perform the following actions:

Click on the gear icon at the bottom of the services list and choose 'Set Service Order.' Click and drag your main Internet connection to the top of the list. Then position your VPN connection so that it is the second item in the list. If you have multiple VPN connections you can place them all after your main Internet connection, just make sure that your main Internet connection is the first item in the list. This is important because of the way OSX handles the routing tables. I am sure there is a better way to do this with shell script and finding out exactly which connection to select and delete/add when routing, but it is beyond my skill right now.

Next you need to select your VPN in the list and click on Advanced in the bottom right hand corner. Under the Options tab there will be a check box for Send all traffic over VPN connection. Make sure it is UNCHECKED.

Now we are ready to move on. Open your favorite text editor and put in the following commands:
/sbin/route delete default
/sbin/route add default -interface ppp0
dscacheutil -flushcache
killall -HUP mDNSResponder 
If you are using TextEdit make sure to convert the text to text-only by pressing Cmd+Shift+T. Save this file to your desktop as ip-up. Next copy the file to your /etc/ppp folder and enter your administrator password when asked. OSX won't let you directly save a file to this folder so we have to do it in a roundabout way. In a Terminal window type the following:
sudo chmod 755 /etc/ppp/ip-up
What this did: the ip-up file is used by ppp to execute commands once a successful connection to a VPN is made. Any shell script will work pretty much, and the file is also passed several variables that can be used in the script. None of them were necessary for me so I have not included them here. If you want to execute commands when disconnected you can also create an ip-down file and place it in the same folder.

My script first deletes the top-most default route to the Internet. Without this default route, all traffic has to be manually routed in order to reach its proper destination. This is one reason why we wanted to make sure our main Internet connection was the first item in the services list. This way we can execute one command and make sure it deletes it every time.

Next we add a new default route and specify that it is to be routed over our VPN connection (ppp0).

Finally the last two commands clear out the DNS cache to make sure we are using DNS information from the servers specified in our VPN connection, and not our main Internet connection. It is debatable whether or not this is necessary, and for some people it may not be. DNS servers in China however are regularly poisoned and even after connecting to VPN I am sometimes unable to connect to some websites without first clearing my DNS cache.

At this point you now have what is essentially an Internet kill-switch. If your VPN disconnects the ppp daemon will automatically delete any routes it created, but will not restore the routes that we deleted in our ip-up file. Your traffic now routes to nowhere. You can check this by going to the Terminal and typing:
netstat -r
You should only see routes for your LAN and localhost/loopback interfaces.

I remembered reading about a problem with IPv6 and leaking DNS information, and since I don't use IPv6 for anything I decided I would take the extra step of disabling this as well. To do this, in a Terminal window type:
networksetup –setv6off SERVICENAME
Make sure to replace SERVICENAME with the name of your main Internet connection which can be found in the Network prefpane. For me it is 'Wi-Fi' without quotes.

Then go to your Network prefpane and select your Internet connection. Click on Advanced » TCP/IP. Under Configure IPv6 set it to 'Off.'

Now the next step is restoring Internet connectivity after you have disconnected from the VPN, and want to continue using your regular Internet connection. There are three ways that I have found to do this.
  1. Right click the Internet connection icon in the menubar and turn it off and then back on. This seems to recreate the default routes to your router.
  2. In Terminal type:
    sudo route add default -net DEFAULTGATEWAY
    Replace DEFAULTGATEWAY with your router's IP address. For me it is '' without the quotes.
  3. Use Alfred on OS X (which I highly recommend) so you can run scripts quickly just be typing their name or creating a workflow.
I created the following AppleScript that will restore connectivity when run:
set myip to 'DEFAULTGATEWAY' as text
do shell script "sudo route add default -net " & myip with administrator privileges
Again, change DEFAULTGATEWAY to your router's IP address. The only drawback to this is that it will prompt you for your administrator password. There are ways to set AppleScript up to automatically pass the password, but you are then storing your password in plain-text. If anyone wants to do this, a quick Google search will give you more information.

As far as I can tell this is one way to successfully create an Internet Kill-switch. I verified this by using before and after connection to my VPN to make sure that I was only using my VPN specified DNS, and after disconnecting from the VPN I was unable to browse the Internet. A check at each step using the netstat -r command also showed that there were no unwanted routes and that traffic was being properly routed over the VPN.

If anyone else has a better method for doing this, please let me know!

[crarko adds: There's a lot here, and my VPN setup does not need this. As always, if people give this a try please share your experiences in the comments.]
  • Currently 1.19 / 5
  You rated: 1 / 5 (54 votes cast)

Creating a kill switch for the OSX VPN client | 0 comments | Create New Account
Click here to return to the 'Creating a kill switch for the OSX VPN client' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.