Wireguard VPN via Network Manager - Kill Switch?

I have imported some wireguard configs from my VPN provider. Imported one into a new Network Connection in Network Manager. Seemed to import ok, but not many settings. I’d like a switch or some kind of “Always On” setting, is that possible?

If not, I remember the Mac version of the Wireguard app had a setting which effectively provided a ‘kill switch’ (to prevent connections outside the VPN and block all traffic if VPN connection dropped). I’d like this functionality on Fedora if possible.


1 Like

NetworkManager preserves the WireGuard interface and its default route even when the server is down or unreachable which effectively provides a routing based kill switch OOTB.

1 Like

Thanks, just to clarify, so it does prevent leaks or connections outside the VPN by default?

I know the mullvad app (for some reason not installing correctly on atomic) has a daemon for early boot blocking.

You could also set your DNS in systemd-resolved to empty, so you could only connect to them.

When changing resolved, create resolved.conf.d and put any setting.conf in there which will overwrite the original.

Hmm, I don’t understand that but I get it enough to think it’s worth me looking into what you mean and how to do that. I like the idea of blocking native IP connections at system level, very much!

Yeah had no energy to give you the code

sudo -i
cd /etc/systemd
mkdir resolved.conf.d
cp resolved.conf resolved.conf.d/block-all.conf
# edit the lines here, uncomment the DNS lines, etc.

A VPN is often connected through a static IP, so you dont need DNS. And then after connecting to your new LAN (VPN) it has its own DNS server set up often.

But this will not block direct IP connections.

So you may want to do something in /etc/hosts but I dont know that yet.

Since wireguard is not a VPN which makes a connection to a VPN server, but a network interface which happens to send a key plus encrypted packets to a predefined IP, I would give it a try to define the VPN in e.g. /etc/wireguard/wgvpn.conf and let the service wg-quick@wgvpn start BEFORE NetworkManager. systemd-resolved is already started, so wg-quick can enter the DNS address already, if not, fall back to /etc/resolv.conf.
The routing of wireguard is that clever that the default route should not be overruled by DHCP.
Only thing is that DHCP communication should not be catched.
WLAN with captive portal will be no longer possible.

1 Like

Thanks both of you, but this is way out of my technical abilities now. I was hoping for just a kill switch button!! (Or something almost as easy!)

No problem.
Just refer to the post of @vgaetera: a regular VPN like IPsec connects to a server, negotiates keys and account, and if the server goes down it might drop the VPN. Wireguard does not have “connection” to the server, if the wireguard server receives a packet from you and recognizes the key, it is happy to process it. If it does not for some reason, you just do not have any connection, as long as your wireguard interface is up.
So indeed: killswitch implicitly on.

1 Like

Thank you, I understood that and it’s a comfort to know that.