Last active
March 8, 2025 01:39
-
-
Save Tekunogosu/5576f4f391c037687941541748641bb9 to your computer and use it in GitHub Desktop.
Wireguard killswitch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Copy the file to /etc/wireguard/ | |
| # Make it executable: chmod +x /etc/wireguard/wg-killswitch.sh | |
| # Add the following lines to your wireguard conf (/etc/wireguard/wg0.conf) | |
| # PostUp = /etc/wireguard/wg-killswitch.sh up %i 123.45.78.99 | |
| # PostDown = /etc/wireguard/wg-killswitch.sh down %i 123.45.78.99 | |
| # Make sure you update the ip addresses in this file to match your wireguard config and your network | |
| # Get arguments - first is operation (up/down), second is interface name | |
| OPERATION=$1 | |
| INTERFACE=$2 | |
| LOCAL_NETWORK="192.168.1.0/24" # Adjust to your network | |
| # Your WireGuard server details | |
| # This can be hard coded with the server IP or use it as an argument if you have multiple connections | |
| WG_SERVER=$3 | |
| # Replace with your WireGuard server port | |
| WG_PORT="51820" | |
| # Replace with your WireGuard DNS server IP | |
| WG_DNS="10.2.0.1" | |
| case "$OPERATION" in | |
| "up") | |
| # First ensure we can reach the WireGuard server | |
| iptables -A OUTPUT -p udp -d $WG_SERVER --dport $WG_PORT -j ACCEPT # Allow WireGuard connection | |
| # Allow established connections | |
| iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| # Allow loopback | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -A OUTPUT -o lo -j ACCEPT | |
| # Allow local network | |
| iptables -A INPUT -s $LOCAL_NETWORK -j ACCEPT | |
| iptables -A OUTPUT -d $LOCAL_NETWORK -j ACCEPT | |
| # Allow traffic through WireGuard | |
| iptables -A INPUT -i $INTERFACE -j ACCEPT | |
| iptables -A OUTPUT -o $INTERFACE -j ACCEPT | |
| # DNS hijacking - redirect all UDP DNS traffic to WireGuard DNS | |
| iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination $WG_DNS:53 | |
| # Block all non-VPN DNS traffic | |
| iptables -A OUTPUT ! -o $INTERFACE -p udp --dport 53 -j DROP | |
| iptables -A OUTPUT ! -o $INTERFACE -p tcp --dport 53 -j DROP | |
| # Block non-VPN traffic | |
| iptables -A OUTPUT ! -o $INTERFACE -j DROP | |
| iptables -A INPUT ! -i $INTERFACE -j DROP | |
| echo "Killswitch enabled for interface $INTERFACE" | |
| ;; | |
| "down") | |
| # Remove the rules (in reverse order) | |
| iptables -D OUTPUT ! -o $INTERFACE -j DROP | |
| iptables -D INPUT ! -i $INTERFACE -j DROP | |
| iptables -D OUTPUT ! -o $INTERFACE -p tcp --dport 53 -j DROP | |
| iptables -D OUTPUT ! -o $INTERFACE -p udp --dport 53 -j DROP | |
| iptables -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination $WG_DNS:53 | |
| iptables -D INPUT -i $INTERFACE -j ACCEPT | |
| iptables -D OUTPUT -o $INTERFACE -j ACCEPT | |
| iptables -D INPUT -s $LOCAL_NETWORK -j ACCEPT | |
| iptables -D OUTPUT -d $LOCAL_NETWORK -j ACCEPT | |
| iptables -D INPUT -i lo -j ACCEPT | |
| iptables -D OUTPUT -o lo -j ACCEPT | |
| iptables -D INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| iptables -D OUTPUT -p udp -d $WG_SERVER --dport $WG_PORT -j ACCEPT | |
| echo "Killswitch disabled for interface $INTERFACE" | |
| ;; | |
| *) | |
| echo "Usage: $0 {up|down} INTERFACE" | |
| exit 1 | |
| ;; | |
| esac | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment