Centos7 VPN Killswitch Support

edited September 2017 in Linux VPN Setup Posts: 4
So I have spent the last 2-3 days researching everything I can on getting a VPN killswitch working on centos7.  I have read almost all the threads in this category and tried everything I could but nothing seems to work.  I can connect with openvpn just fine and get that working, but whenever the vpn connection dies, everything just starts running over the eth0 interface and my data is exposed.  Anytime I restrict eth0 interface the tun0 connection also seems to get restricted.  Below is what I started working on, but as soon as I run this, I can no long ping or curl anything.  Does PIA have any support for a centos killswitch?  I tried using the directions here (https://www.privateinternetaccess.com/forum/discussion/22605/vpn-killswitch) but the iptables command is invalid and doesn't work.

#flush existing rules

iptables -F

#set default to drop

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP

#allow ssh

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

#Accept all TUN connections (tun = VPN tunnel)

iptables -A OUTPUT -o tun0 -j ACCEPT

iptables -A INPUT -i tun0 -j ACCEPT

Post edited by banks on


  • Posts: 353
    what/which command is 'invalid and doesn't work' ?

    the thread appears to be a very well-developed discussion and collaboration.


  • The command: iptables -A OUTPUT ! -m owner --uid-owner pia ! -o tun+ -j DROP

    The result: iptables v1.4.21: unexpected ! flag before --match
  • Ok so lack of sleep and I guess I totally missed the correction in a later post on that thread.  Still not working right but im working through it.  thanks for calling me out
  • Posts: 353
    huh? "calling me out"?  there is no antagonism at this end.  just steering you in a better direction.

  • Hah, no not being mean, I am genuinely thankful as I wouldn't have known to go back and re-read, so an honest thanks actually.  For those who stumble across this thread, here is the script I wrote to setup iptables.  I did some basic dns leak testing to verify that I was getting proper dns entries from PIA instead of my ISP.  I also can kill the openVpn process and anytime I try to ping anything or curl anything I get "Could not resolve host."  Also once connected to PIA, checking for my ip always returns a PIA public ip so it looks like I have this working now.

    #clear existing rules

    iptables -F

    iptables -P INPUT ACCEPT

    iptables -P OUTPUT ACCEPT

    iptables -P FORWARD ACCEPT

    iptables -t nat -F

    iptables -t mangle -F

    iptables -F

    iptables -X

    iptables -Z

    #allow ssh

    iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

    iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

    #allow only vpn traffic

    iptables -A OUTPUT -m mark ! --mark 0x1 ! -o tun+ -j DROP

    sleep 2

    nohup openvpn --config /etc/openvpn/client.conf --mark 1 > /dev/null 2>&1 &

Sign In or Register to comment.