Hi devs, you’re all doing an incredible job and I’ve donated twice already. Thank you!. (I’m alex_tanner but forgot my pw)
There has been a lot of debate about a fail-closed mechanism or a kill switch for VPN users on Whonix. (Cutting off all traffic to TOR if the VPN drops).
This recommended script VPN-Firewall by adrelanos on Github is fine, but there is a much quicker, safer and more efficient way to achieve this.
This guide is for VPN that are set up on the host.
Literally all you have to do is modify your Whonix-External.xml to reflect the following:
<network>
<name>Whonix-External</name>
<forward dev='tun0' mode='nat'/>
<bridge name='virbr1' stp='on' delay='0'/>
<ip address='10.0.2.2' netmask='255.255.255.0'>
</ip>
</network>
This is the key component, specifically telling libvirt to use tun0 for NAT.
<forward dev='tun0' mode='nat'/>
Libvirt will automatically create these iptable rules when the Whonix-External Network is started, only allowing established forwarded traffic between the Whonix Gateway and the tun0 interface.
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.2.0/24 -i virbr1 -o tun0 -j ACCEPT
That’s it.
If your VPN connection drops, all Whonix connectivity will die instantly, because tun0 is the only target for NAT.
Thus, incoming traffic can’t reach because the the ESTABLISHED connection rule points to the internal IP of your tun0 interface (which is not assigned if the VPN drops) and outgoing doesn’t work either for the same reason.
Hope this helps.