killswitch icon indicating copy to clipboard operation
killswitch copied to clipboard

Published 20 hours ago verified publisher icon vpn-kill-switch

Killswitch Broken under ProtonVPN w/ WireGuard

Open ghost opened this issue 3 years ago • 6 comments

Killswitch stopped working for me as soon as I updated to the new version of the ProtonVPN MacOS client, which adds WireGuard capabilities -- and I don't see any way to disable it.

First, it won't pick up the VPN IP so enabling it without providing the IP with -ip immediately blocks all traffic. Second, when you do provide the IP address it seems to work only 20-ish percent of the time -- it shows a PEER IP address but it still blocks all traffic. I've verified this is the correct IP. When I disable the killswitch, internet works again.

Screenshot 10-19-2021 at 15 59 18@2x

ghost avatar Oct 19 '21 20:10 ghost

Hi @mattgeowild interesting because the rules allow any traffic from the peer IP *.164 maybe adding the ip 10.X will help to keep tunnel up since I think is the IP you get from the wireguard client, after running killswitch you can use and modify the rules in /tmp/killswitch.pf.conf add something like:

pass inet from any to 10.2.0.0/16 flags S/SA keep state
pass inet from 10.2.0.0/16 to any flags S/SA keep state

and then run:

sudo pfctl -Fa -f /tmp/killswitch.pf.conf

Is just a guess, because the rules are already allowing all on utun7 but give it a try

nbari avatar Oct 20 '21 10:10 nbari

Hi @nbari, unfortunately it looks like that isn't working either Screenshot 10-21-2021 at 14 41 38@2x .

ghost avatar Oct 21 '21 18:10 ghost

hi @mattgeowild did you add:

pass inet from any to 10.2.0.0/16 flags S/SA keep state
pass inet from 10.2.0.0/16 to any flags S/SA keep state

Can you share your /tmp/killswitch.pf.conf

nbari avatar Oct 21 '21 20:10 nbari

Not the best answer but from the client under profiles, you can select openvpn/udp:

Screenshot 2021-10-21 at 22 24 01

nbari avatar Oct 21 '21 20:10 nbari

hi @mattgeowild did you add:

pass inet from any to 10.2.0.0/16 flags S/SA keep state
pass inet from 10.2.0.0/16 to any flags S/SA keep state

Can you share your /tmp/killswitch.pf.conf

I did, and I tried again just now but it looks like enabling the killswitch resets the .conf? Here's my /tmp/killswitch.pf.conf anyway, but it doesn't look like the file changes are applying correctly. When I add the lines and exit nano and then re-enter, the changes are saved -- so it's not an issue with permissions or with my text editor, but the file being reset or rolled back somehow. Screenshot 10-24-2021 at 12 04 55@2x

Also thank you for pointing out the protocol switcher. When I switch it to IKEv2, it works just fine. Killswitch doesn't like something about Wireguard, I guess.

ghost avatar Oct 24 '21 16:10 ghost

Hi @mattgeowild , modify the file /tmp/killswitch.pf.conf and to load the rules run this:

sudo pfctl -Fa -f /tmp/killswitch.pf.conf

if you run again killswitch it will overwrite your changes.

just in case, to reset your firewall rules run:

sudo pfctl -Fa -f /etc/pf.conf

is like doing killswitch -d

nbari avatar Oct 24 '21 16:10 nbari