How can I configure a killswitch for OpenVPN using firewalld?

There are some guides available online on how to do this, but they don’t really offer what I need.

Also, they seem very complicated and I wonder if there’s not an easier solution.

Basically, I want to block all incoming and all outgoing traffic except outgoing VPN traffic on the tun0 interface.

The only traffic allowed outside of tun0 should be the initial connection to the VPN server (to be more specific, the ip address of the VPN server should be whitelisted so I can establish the VPN connection).

I once used to do this via iptables / ufw using the following commands:

ufw default deny outgoing
ufw default deny incoming
ufw allow out on tun0 from any to any
ufw allow out from any to 1.2.3.4

(1.2.3.4 is just an example for the ip address of the VPN server).

Can someone please tell me how I can get the same effect with firewalld or firewall-config?

Thank you

Unless something has changed recently, firewalld isn’t particularly good at managing outbound traffic. I set up a VPN machine as you are describing about a year ago and I had to add manual rules to block the outbound traffic using firewall-cmd --permanent --direct and then manually specifying them using syntax similar to iptables rules. I would share the rules with you but…

I lost that VM last week due to an unfortunate mistake and when I rebuilt it I just removed firewalld and installed ufw instead. It was much easier for that application. :innocent:

Of course, if your machine is a general purpose desktop then the advantages of firewalld might outweigh the difficulties. In my case, it was dedicated machine I was using for when I wanted a VPN connection.

Consider to use NetworkManager+WireGuard as it supports the kill switch feature by default.

So you’re saying just replacing firewalld with UFW will work?

But that means that in addition to nftables, Fedora has iptables still installed by default, right? Or how could UFW (a frontend for iptables) work otherwise?

I always thought that iptables has been deprecated.

Yes, it works without hassles.

On general purpose workstations, I love firewalld. But for blocking outbound traffic, I usually switch to ufw because it is a handful of simple rules. That being said, it is possible to achieve your goal with either.

I believe the package iptables-nft provides a bridge between the iptables rules and nftables implementation.

Okay, I see. Thanks for your help