I am running EndeavorOS with XFCE 4 and am using Mullvad as my VPN. To be clear I know Mullvad’s client has a lockdown and kill switch mode but it seems like after updating it my PC is connecting to the internet without it. I could be mistaken but I don’t think it’s blocking anything at that point. I would likely have to wait until the next Mullvad update to test this for sure though. If someone can either confirm or deny my suspicions I would greatly appreciate it because I wouldn’t have to find another work around.
All that said if that is the case, how can I prevent my PC from connecting to the internet when Mullvad is not running?
Maybe there’s a simple option like binding the network manager to mullvad client application? Ideally I’d like to avoid either not using their client and using some thrown-together update script like
#!/bin/bash
xfce4-terminal --command=“sudo pacman -Syu”;
/opt/Mullvad VPN/mullvad-vpn";
Edit: Maybe it is connecting after the update but not showing the GUI. I came across this post on GitHub
I have a Mullvad desktop app set to launch on start-up. Also “Start minimized” is set to false. At the system start-up I get connected to the VPN, so the Mullvad daemon apparently starts, but no application window launches. I have to launch it manually.
I did not check to see if this was happening after I updated.
This option right here, in Plasma network settings.
Would that option work with the Mullvad client though or would I need to setup the ovpn files and what not?
I can check the box to allow it but right now the option to select a connection (to the right) is greyed out.
You need to set up a separate vpn connection in the same window, then you link that VPN connection to your WiFi or Ethernet connection using the option above.
If the system cannot initialize vpn connection, the WiFi connection will also fail.
You will need .ovpn file, you can download it from Mullvad website.
There are probably multiple ways. You could configure your Linux firewall to only allow the VPN interface for all destinations different from your LAN or you could make sure the default gateway is set to a VPN IP in the route config.
Do you have any recommendations on guides how to do the former? I saw posts like this AskUbuntu post but they use the .ovpn files instead of the Mullvad client from my understanding.
If you’re on XFCE, you can import the .ovpn files really easily. Right-click the network icon and choose “Edit connections” (You can also go there by going to Advanced Network Configurations). Then click the plus sigh at the bottom left of the window and choose “Import a Saved VPN Configuration” in the dropdown menu that appears. Click “Continue” and you’ll be able to pick the .ovpn file wherever you might have saved it.
Turning off WiFi is technically a solution. You won’t connect to WiFi without using a VPN. 🙃
May I ask, how I can accomplish this?
I’ve tried with systemd service file, but I don’t know yet how. Is there better solution?
I want to stop interface on shutdown, sleep and hibernate.
Not sure about how to automate it, but you could probably just flip the switch in the system tray. You could also tie it to a power profile.
I wasn’t really being serious with this reply. Your post seems to suggest you want to prevent wifi connection until a VPN connection is established. My suggestion was just to turn off wifi altogether due to some wordplay allowed from the title.
iptables -I OUTPUT -o $NIC_IF ! -d $VPN_REMOTE -j DROP
Qubes is the best solution/architecture for this.
You can set something with network name spaces and default routes that reduce possible exposure to direct internet routing, but unless its enforced at some higher level (like through VMs) then there is a risk.
You can use a external vpn device like openwrt as your uplink.
Depending on how much control you have of your network, you can make the default vlan of your computer non-internet routable, and only mullvad can talk to a vlan with direct internet access. (so if something spins up your network stack, it wont route to the internet)
At your router/gateway apply firewall rules such that ONLY the vpn endpoint is routable (either from the whole network, or just that computer, or just that vlan, etc)