pf configuration file for PIA and other VPNs to act as a killswitch

pf.conf

#### PLEASE READ THIS BEFORE PASTING INTO YOUR pf.conf FILE ####
#
# This configuration is designed for PIA with a UDP configuration, and will
# block ALL TRAFFIC on en0 with the exception of the designated ports specified
# below in pia_udp_ports. It will likely NOT WORK out of the box; you will need to
# identify the interface that PIA uses and it will likely NOT be utun2.
#
# The advantage of using this pf configuration is to simulate PIA's killswitch
# as soon as the system boots up rather than when PIA is launched, and allows
# for a tiny bit more peace of mind. It is NOT perfect: all traffic, outbound
# and inbound, IS PERMITTED on the VPN connection. If that doesn't butter your
# biscuit, DON'T USE THIS CONFIG.
#
# This config was designed for macOS, but may also work on other *nix
# distributions. Your mileage may vary.


# define ports allowed for VPN traffic
pia_udp_ports = "1194 8080 9201 53"
dhcp = "67 68"

# define VPN interfaces
# these interfaces will allow ALL traffic on ALL ports
pia_interfaces = "{ utun2 }"

# block all initial traffic
block all

# allow traffic through VPN interfaces
pass out quick on $pia_interfaces all
pass in quick on $pia_interfaces all

# allow traffic over default interface only on specified VPN ports
pass out quick on en0 proto udp from any to any port { $pia_udp_ports $dhcp }
pass in quick on en0 proto udp from any to any port { $pia_udp_ports $dhcp }

• Port configuration is a bit cleaner.
• Opened ports 67 and 68 to allow DHCP configuration on a network.

TODO:

• Restructure general interfaces to a list for customization (not everyone's default interface is en0)
• Either find a way to allow captive portals access to 80 and 443, or create a script to temporarily open up the ports.