VPN kill switch: how to do it on Linux

I wanted to implement a 100% reliable VPN kill switch for my IoT devices: prohibit any outgoing traffic when a VPN is not active. After doing quite a bit of research I found a solution that uses Linux policy-based routing. This works for OpenVPN and Wireguard, and should also work for any VPN that uses exactly one port for the communication. The local traffic is not affected by
the switch.

Hope this helps someone configure a VPN kill switch for apps/IoT devices/etc. There is also a section about Linux policy-based routing which is useful on its own.

If you plan to try this on the router, please make sure to test it first and then enable on boot

shouldn’t the ip rule be set to configure `dport` instead of `sport`? source port on client side is random

something like this for wireguard:

$ ip rule add not dport 51820 table vpn1

(edit: sport → dport)

Both are possible. I used sport because it depends on the configuration of the node where I set up the kill switch (not some other VPN node). Source port is not random if you set it in the Wireguard configuration.

true, it’s random by default, can be set static