-   Linux - Security (
-   -   A way to auto-connect to your VPN at startup without an App (

Captain Brillo 01-05-2019 06:22 PM

A way to auto-connect to your VPN at startup without an App
Thought I’d present this attempt to automate VPN connection at start-up. This method avoids need for an actual “kill-switch,” because if the connection is broken, there’s no other connection available for “leaks.” It has passed my (very limited) testing so far. I’m very much looking for critique, correction and improvement. [Call it an “assay” submitted for marking (pun intended ;)]. Should it survive, it can be available in 1 piece, in 1 place, for every newbie to use. (See bottom for credits.)

I’ve seen a few really long, involved “kill-switches” built with ip tables. Your feedback may enlighten us (me) re the validity of the apparently huge labour needed for this approach. My hope is that this simplicity here actually is effective.

There are several apps/applets out there that work as kill-switches, and I found a 2-app combo that does everything anyone would ask for. It’s brilliant. But I’m no longer a very trusting person, and without getting inside them, you don’t really know what they’re doing. No disrespect to other travellers, but look at it this way: this might be a little more complicated to set up than installing an app, but this way gives you total control. And you’re doubt-free.

This post consists of some simple firewall rules and a little 1-command startup app.
(I use nordVPN, which does not use IPv6; at the bottom are commands to disable IPv6 and stop those leaks.)

Some considerations :

- changing VPN servers - requires a bit of adjustment - need to change both the ip address in the ufw rule and the uuid in the startup app

- torrenting - when the connection breaks when downloading a torrent file, qbittorrent continues to run, but download speed gradually drops to 0 - need to explain this (- am I now visible? -) and find a fix.

For Ubuntu et al., ufw is fine. Other distros....I don’t know.

Set up the firewall rules:


sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw allow out on tun0 from any to any
sudo ufw allow in on tun0 from any to any
sudo ufw allow out from any to <ip address of vpn>
sudo ufw enable
sudo ufw status

Next, follow these steps.

This command will show you your connections:


nmcli con
and will return something like:


NAME                                          UUID                                                                  TYPE                    DEVICE
Wired connection 1            f49e5cee-9a89-35ac-8a87-3e487c2f86f9          802-3-ethernet    eno1          8d7331ad-ff3c-4e19-a7a9-cc1b129dbe54        vpn          eno1 
tun0                          e40b6153-802c-40ed-9f64-a02beee4be66          tun                tun0

Now type this command:


$  nmcli con up uuid <your vpn uuid here>  as in

$  nmcli con up uuid  8d7331ad-ff3c-4e19-a7a9-cc1b129dbe54

This should connect you to the VPN server.

Next, add that last command to your ‘Startup Applications” as a “custom command.” Maybe call it “StartVPN”....

Reboot; the VPN should connect automatically; turn off the VPN and see if anything can connect. It shouldn’t.

-confirm that nothing is still communicating after you kill the connection.

How to disable IPv6 on Linux?

First, run ifconfig to get a list showing any IPv6 connections, if you find any, add them to the commands below after the command about tun0 and substitute that connection name (eno1,etc.) for tun0.

Here's how to disable the protocol on a Red Hat-based system:

1. Open a terminal window.
2. Change to the root user.
3. Issue the commands:


sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
sysctl -w net.ipv6.conf.tun0.disable_ipv6=1

To re-enable IPv6, issue the following commands:


sysctl -w net.ipv6.conf.all.disable_ipv6=0
sysctl -w net.ipv6.conf.default.disable_ipv6=0
sysctl -w net.ipv6.conf.tun0.disable_ipv6=0

Here's how to disable the protocol on a Debian-based machine.
1. Open a terminal window.
2. Issue the command:


sudo nano /etc/sysctl.conf
3. Add the following at the bottom of the file:


net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.tun0.disable_ipv6 = 1

4. Save and close the file.

5. Reboot the machine.

To re-enable IPv6, remove the above lines from*/etc/sysctl.conf*and reboot the machine.

(Note: in the lines added for RedHat there are no spaces beside the “=” signs, but for Debian systems, there are spaces around the “=”. I don’t know if this is accurate; these were both cut & pasted. I have only tested for Debian and the spaces are accurate.)

Then make sure all network connections have IPv6 set to ignore.
(the “xmodulo” link below has another method to disable IPv6.)

Here's how to check:

This info comes, bit by bit, from these sites:




ferrari 01-05-2019 07:33 PM

You could also use NetworkManager's dispatcher script capability...

More info

man NetworkManager

Captain Brillo 01-05-2019 08:06 PM

Thanks, I saved that. It's still beyond my scripting/programming skills, which is why I've suggested this is for newbies.
Notice any glaring boo-boos?

markophillips 03-14-2019 05:33 AM

Very helpful thread.

All times are GMT -5. The time now is 11:04 PM.