I was looking for a killswitch solution for linux that was rock solid. I found the method of using ufw and only allowing the tunnel device. Initially, I was running a script that initialised the killswitch and another to uninitialise (when I wanted to reconnect to the VPN because of VPN connection failure). In the end, I made one complete script. I may one day make this a cron job. However, I’m satisfied with how it works as a manually run script. Note: The script outlined in this post needs to be run as sudo.
#!/bin/bash
#
#Things a user may need to edit to get this to work is TUNNEL_NAME as tunnel
#may not be named tun0 by distribution. Find this with ifconfig when the tunnel
#is running.
#
#Something that will need changing is the name of your Network Manager UUID
#variable - you get your UUID by running 'nmcli connection show' in your shell
#when the tunnel is active (assuming a Network manager managed connection) then plug that UUID #into the variable below.
#
#I run this as cronjob and that is why I have a zenity dialog popup so that I
#have some feedback of what is going on with my internet connection / VPN
WGET="/usr/bin/wget"
TUNNEL_NAME="tun0"
TUNUUID="ea72604d-7efd-48bd-8591-3cb1deba1de4"
#Test for internet connectivity
$WGET -q --tries=20 --timeout=10 http://www.google.com -O /tmp/google.idx &> /dev/null
#Test for vpn firewall killswitch (is it in place yet?)
connstatus=$(ufw status | grep -c $TUNNEL_NAME)
echo $connstatus
#If killswitch on and internet connection down, then reinitiliase the
#connection. If killswitch not initialised, then start it (like @ startup)
if ([ ! $connstatus -eq 0 ] && [ ! -s /tmp/google.idx ]) || [ $connstatus -eq 0 ]
then
echo "Not Connected..."
zenity --info --width=300 --title "VPN Connection Process" --text="VPN Reinitilisation..."
ufw --force reset
ufw default deny incoming
ufw default allow outgoing
ufw enable
nmcli connection up $TUNUUID
ufw --force reset
ufw default deny incoming
ufw default deny outgoing
ufw allow out on tun0 from any to any
ufw enable
else
echo "Connected..."
fi
#remove internet test connection file for the next run of the script
rm /tmp/google.idx