{"id":23388228,"url":"https://github.com/alexandrshy/wireguard-killswitch","last_synced_at":"2026-02-17T12:31:39.435Z","repository":{"id":268169633,"uuid":"903529464","full_name":"Alexandrshy/wireguard-killswitch","owner":"Alexandrshy","description":"🛡️ A bash script that creates a kill switch for WireGuard VPN on macOS using PF. It ensures that your internet traffic only flows through the VPN, preventing any leaks if the VPN connection drops","archived":false,"fork":false,"pushed_at":"2024-12-14T20:50:08.000Z","size":5,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-19T12:46:41.697Z","etag":null,"topics":["bash","macos","security","vpn","wireguard"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Alexandrshy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-14T20:44:26.000Z","updated_at":"2025-04-26T21:21:43.000Z","dependencies_parsed_at":null,"dependency_job_id":"3e03ec20-db16-48f7-9c95-2a949104a563","html_url":"https://github.com/Alexandrshy/wireguard-killswitch","commit_stats":null,"previous_names":["alexandrshy/wireguard-killswitch"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Alexandrshy/wireguard-killswitch","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Alexandrshy%2Fwireguard-killswitch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Alexandrshy%2Fwireguard-killswitch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Alexandrshy%2Fwireguard-killswitch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Alexandrshy%2Fwireguard-killswitch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Alexandrshy","download_url":"https://codeload.github.com/Alexandrshy/wireguard-killswitch/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Alexandrshy%2Fwireguard-killswitch/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265344842,"owners_count":23750566,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash","macos","security","vpn","wireguard"],"created_at":"2024-12-22T02:18:14.162Z","updated_at":"2026-02-17T12:31:39.392Z","avatar_url":"https://github.com/Alexandrshy.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# WireGuard Kill Switch for macOS\n\nA bash script that creates a kill switch for WireGuard VPN on macOS using PF (Packet Filter). It ensures that your internet traffic only flows through the VPN, preventing any leaks if the VPN connection drops\n\n## Features\n\n- Blocks all traffic when VPN is disconnected\n- Allows traffic only through WireGuard VPN interface\n- Monitors VPN connection status\n- Configurable through environment variables\n- Automatic cleanup on script termination\n- User-friendly status messages\n\n## Requirements\n\n- macOS operating system\n- WireGuard installed\n- Administrative privileges (sudo)\n\n## Installation\n\n1. Clone this repository or download the `killswitch.sh` script:\n\n```bash\ngit clone https://github.com/Alexandrshy/wireguard-killswitch.git\n\ncd wireguard-killswitch\n```\n\n2. Make the script executable:\n```bash\nchmod +x killswitch.sh\n```\n\n## Usage\n\n### Basic Usage\n\nSimply run the script:\n\n```bash\n./killswitch.sh\n```\n\n### Configuration\n\nYou can configure the script using environment variables:\n\n- `VPN_INTERFACE`: WireGuard interface name (default: utun4)\n- `WIREGUARD_PORT`: WireGuard server port (default: 51820)\n- `PF_RULES_PATH`: Path to PF rules file (default: /etc/pf.anchors/wireguard_killswitch)\n\nExample:\n\n```bash\nexport VPN_INTERFACE=utun4\nexport WIREGUARD_PORT=51820\nexport PF_RULES_PATH=/etc/pf.anchors/wireguard_killswitch\n```\n\n### Finding WireGuard Interface\n\nTo determine which interface your WireGuard VPN is using:\n\n1. First, check all available interfaces:\n\n```bash\nifconfig | grep utun\n```\n\n2. Note the current interfaces, then connect to your WireGuard VPN\n\n3. Run the same command again:\n\n```bash\nifconfig | grep utun\n```\n\n4. The new utun interface that appears is your WireGuard interface. Example output:\n```\nBefore VPN connection:\nutun0: flags=8031\u003cUP,POINTOPOINT,RUNNING,MULTICAST\u003e mtu 1490\nutun1: flags=8031\u003cUP,POINTOPOINT,RUNNING,MULTICAST\u003e mtu 2000\n\nAfter VPN connection:\nutun0: flags=8031\u003cUP,POINTOPOINT,RUNNING,MULTICAST\u003e mtu 1490\nutun1: flags=8031\u003cUP,POINTOPOINT,RUNNING,MULTICAST\u003e mtu 2000\nutun3: flags=8031\u003cUP,POINTOPOINT,RUNNING,MULTICAST\u003e mtu 1690  \u003c- This is your WireGuard interface\n```\n\n5. Update the VPN_INTERFACE variable in the script or set it via environment variable:\n\n```bash\nexport VPN_INTERFACE=\"utun3\"\n```\n\n## Automatic Startup Configuration\n\nTo make the kill switch start automatically after system reboot, follow these steps:\n\n1. Copy the script to a permanent location:\n\n```bash\nsudo cp killswitch.sh /usr/local/sbin/killswitch.sh\n\nsudo chmod +x /usr/local/sbin/killswitch.sh\n```\n\n2. Create a launch daemon configuration:\n\n```bash\nsudo mkdir -p /Library/LaunchDaemons\n```\n\n3. Create the launch daemon file:\n\n```bash\ncat \u003c\u003c 'EOF' | sudo tee /Library/LaunchDaemons/com.wireguard.killswitch.plist\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003c!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\"\u003e\n\u003cplist version=\"1.0\"\u003e\n\u003cdict\u003e\n    \u003ckey\u003eLabel\u003c/key\u003e\n    \u003cstring\u003ecom.wireguard.killswitch\u003c/string\u003e\n    \u003ckey\u003eProgramArguments\u003c/key\u003e\n    \u003carray\u003e\n        \u003cstring\u003e/usr/local/sbin/killswitch.sh\u003c/string\u003e\n    \u003c/array\u003e\n    \u003ckey\u003eRunAtLoad\u003c/key\u003e\n    \u003ctrue/\u003e\n    \u003ckey\u003eKeepAlive\u003c/key\u003e\n    \u003ctrue/\u003e\n    \u003ckey\u003eStandardOutPath\u003c/key\u003e\n    \u003cstring\u003e/var/log/killswitch.log\u003c/string\u003e\n    \u003ckey\u003eStandardErrorPath\u003c/key\u003e\n    \u003cstring\u003e/var/log/killswitch.error.log\u003c/string\u003e\n\u003c/dict\u003e\n\u003c/plist\u003e\nEOF\n```\n\n4. Set correct permissions:\n\n```bash\nsudo chown root:wheel /Library/LaunchDaemons/com.wireguard.killswitch.plist\nsudo chmod 644 /Library/LaunchDaemons/com.wireguard.killswitch.plist\n```\n\n5. Load the launch daemon:\n\n```bash\nsudo launchctl load -w /Library/LaunchDaemons/com.wireguard.killswitch.plist\n```\n\n6. Verify the launch daemon is running:\n\n```bash\nsudo launchctl list | grep com.wireguard.killswitch\n```\n\n### Managing Autostart\n\n- To stop the service:\n\n```bash\nlaunchctl unload /Library/LaunchDaemons/com.wireguard.killswitch.plist\n```\n\n- To disable autostart:\n\n```bash\nlaunchctl unload /Library/LaunchDaemons/com.wireguard.killswitch.plist\n```\n\n## Troubleshooting\n\n### Logs\nCheck the log files for any issues:\n\n```bash\ntail -f /var/log/killswitch.log\ntail -f /var/log/killswitch.error.log\n```\n\n### Common Issues\n\n1. **Script doesn't start automatically**\n   - Check permissions: `chmod +x /path/to/your/killswitch.sh`\n   - Verify the path in the plist file\n   - Check log files for errors\n\n2. **Permission denied errors**\n   - Ensure the script has proper ownership: `sudo chown root:wheel /path/to/your/killswitch.sh`\n   - Make sure the script is executable: `chmod +x /path/to/your/killswitch.sh`\n\n## Security Considerations\n\n- The script requires root privileges to modify firewall rules\n- All traffic is blocked if the VPN connection drops\n- DNS queries are allowed to facilitate VPN connection\n\n## Contributing\n\nContributions are welcome! Please feel free to submit a Pull Request\n\n## License\n\nThis project is licensed under the MIT License - see the LICENSE file for details\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falexandrshy%2Fwireguard-killswitch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falexandrshy%2Fwireguard-killswitch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falexandrshy%2Fwireguard-killswitch/lists"}