The Tin Hat

VPN Drop Protection Using Simple Linux Firewall Rules

Image By Matt Barber

Category: misc
A 2 Minute Read

Support The Tin Hat on Patreon! Just one dollar makes all the difference in helping me write more content!

I’ve written previously about the dangers of your VPN dropping and ways to prevent it from being disastrous. Indeed, while many VPN clients have drop protection built in, Linux users often are forced to use their built in Network Manager to connect to a VPN, which notably lacks drop protection. As a workaround, I recommended using a script called VPNDemon to act as a killswitch, so that when your VPN drops you don’t accidentally expose your IP address.

While this solution worked for me for quite some time, I had several readers write in and notify me that VPNDemon failed to work properly for them. Fortunately, there’s another simple solution that I have found since then that works flawlessly (so far at least). This time, instead of using a script to constantly monitor Network Manager, I’ve found a solution that uses Uncomplicated Fire-Wall’s (UFW) firewall rules to enforce a VPN connection.

The first step to getting this up and running is to install ufw. Ubuntu should have this installed by default, while on Debian you’ll have to type into the terminal:

sudo apt-get install ufw -y

Next, connect to your vpn and type the following into your terminal to ensure that your VPN connects to tun0 (look for tun0 as a network interface):

sudo ifconfig

After you’ve ensured that your VPN is using tun0, disconnect from it, and copy and paste this into your favourite text editor, before saving it as your filename of choice (such as in your home folder:


sudo ufw reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0 from any to any
sudo ufw enable

What this script does is reset all your ufw firewall rules, and then change them to only allow traffic to go in or out on tun0. Of course, you’ll eventually need to undo this. For that, you’ll want to copy and paste the following into a text editor as well, and save it in your home folder (I called mine


sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

This script once again resets your ufw firewall rules, and then sets them to a regular sane default (allow outgoing, but deny uninvited incoming traffic).

Now we need to make these two scripts executable. To do this, we will type the following into our terminal (assuming you have named your scripts the same as I have):

sudo chmod +x

To actually operate these, all you’ll need to do is connect to your VPN, and then execute the first script by typing into your terminal:


Once you’ve done this, no traffic will be allowed to enter or leave your computer that isn’t through the VPN interface. I recommend testing it though to make sure everything is set up correctly by disconnecting your VPN. If your internet doesn’t work, that’s a good sign.

Whenever you’re done with your VPN and want to be able to connect back to the regular internet, just execute the second script by typing into your terminal:


I personally use NordVPN and Digital Ocean.
Show some love by signing up using my affiliate links:
Or support me directly on Patreon

Help Me Out: Share, Follow, & Comment

Latest Posts

What is Device Fingerprinting?

Learn what browser fingerprinting is and how it canb e used to track you online.

How To Torrent Privately & Anonymously For Free

Learn the pros and cons of using a VPN to torrent, as well as how to use I2P to anonymously torrent for free!

VPN Drop Protection Using Simple Linux Firewall Rules

Learn how to protect against your VPN dropping using these simply Linux firewall rules

Ledger Nano S Review | Why You Need a Bitcoin Hardware Wallet

A review of the Ledger Nano S, and an explanation of why hardware wallets just make life better when using Bitcoin

What is Two Factor Authentication (2FA) And Why Use It?

What 2FA is, why you should use it, and why we need FIDO U2F.

Support The Tin Hat on Patreon!

The Tin Hat now has a few more ways to support the site.

What is a hash?

A simple explanation of what hashing is, and how hashes are used.

Trump's Toolbox | Future Attribute Screening Technology

FAST is a program that attempts to wirelessly detect whether youre a terrorist, and its in Trump's back pocket.

uBlock Origin, The Best AdBlock Alternative

For AdBlock (Plus) alternatives, look no further than uBlock Origin. This tutorial explains why, and how, you should use it.

I2P Browser Setup Tutorial | Using The Tor Browser For I2P

Learn how to browse I2P using the Tor Browser with this short guide

Privacy On Android | 2017 Android Privacy Guide

A tutorial on how to build privacy on your Android device. Learn what you need to do to stay safe and secure.

New I2P Portal For TheTinHat

TheTinHat has moved to a new server, with a new I2P hidden service to accompany it.

Rebranding 'The Dark Net'

Disassociating decentralized networks with the term 'darknets'.

In Defense of Browser-Based Email Encryption

Why I've reversed my opinion on Protonmail and Tutanota

Privacy Focused Blog Platform

A rundown of the tools I use to power my blog, hidden services.

A Lighter-weight Firefox

How I've set up a lightweight, yet still private browser.