Kali OpenVPN Killswitch

This is a guide to configuring Kali so all network traffic is only routed over an OpenVPN connection. If the VPN drops for any reason, traffic will not be sent unencrypted.


Install Required Packages

Install the following packages.

apt-get install network-manager-openvpn network-manager-openvpn-gnome iptables-persistent

Import your OpenVPN config

It’s best to do this via nmcli rather than the GUI, as you get detailed error messages:

nmcli connection import type openvpn file yourprofile.ovpn

If it fails to connect, tail -f /var/log/syslog

If you see an error similar to below:

kali gnome-shell[1030]: Invalid VPN service type (cannot find authentication binary)

This is a known bug. To fix this issue, go to:

Settings > Network > YourProfile, then click the box next to password, and select all users.

Password 
CA certificate 
ca.crt 
C) Store the password onlytor this user 
@ Store the password for all users 
C) Ask for this password every time 
C) The password is not required

Configuring the Firewall

Paste the below commands into a terminal. Note that the VPN provider port and protocol may need changing.

iptables -F
iptables -X

iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#Allow VPN traffic
iptables -A OUTPUT -o tun+ -j ACCEPT

#Ensure the below is the same port and protocol as your VPN provider
iptables -A OUTPUT -p udp --dport 1198 -j ACCEPT

#Allow DNS (if your provider using DNS for round robin between server ip addresses)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

#Allow DHCP
iptables -A INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT

iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP

Save the rules to run on reboot

netfilter-persistent save
update-rc.d netfilter-persistent enable