How to block everything except my connection to the VPN?
https://apple.stackexchange.com/questions/349404
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm trying to make Murus block everything, except my connection to the VPN server. I don't want my Mac to make any outbound calls to any ports unless via the VPN connection. I'm trying to add a rule that allows the VPN, while everything else is blocked by set block-policy drop.
I can connect to the VPN, but nothing works aside from that. Can you point me to the right direction?
I can make direct changes in pf.conf too (this should not necessarily be Murus).
Solution
Little Snitch (a highly customizable firewall for macOS) has the functionality you are looking for.
First create a profile for a VPN connection. (allow all in/out traffic) Then create a second profile, which would block all in/out traffic. Lastly, set-up automatic profile switching based on the current state of connection to the VPN server.
Check out this guide for more info.
Once you’ve got Little Snitch’s automatic profile switching enabled, it will prompt you to choose the appropriate profile when you join foreign networks. You should obviously choose your untrusted profile. For both your known trusted networks and your VPN connection, you should configure the trusted profile to be selected. Once you’ve done this, all the pieces will come together. When you are on a public network, you can select the untrusted profile, and it will block all traffic until you establish a VPN connection. After that, it will automatically switch over to your trusted profile.
OTHER TIPS
The main idea is simply blocking all connections and pass only through lo/tun/vpn interfaces.
block in log
block out log
set skip on lo0
# Pass packets that go through TUN interfaces
pass in quick on { utun0 utun1 } all
pass out quick on { utun0 utun1 } all
# Pass packets that go to/from VPN server.
# Your VPN server IP
vpn = "0.0.0.0"
pass in on en0 proto { tcp udp } from $vpn
pass out on en0 proto { tcp udp } from any to $vpn
(Taken from https://dolzhenko.me/blog/2018-02-24-macos-openvpn)
Or you can use software which has this feature built-in. I use VyprVPN.
