tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…

Highlighted Articles
  News
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes
  Thanks
  FAQ

Discussion Group
  Read Before You Post

Tunnelblick's Kill Switch

What the "Kill Switch" Is — and Isn't

Tunnelblick has a "kill switch" that can disable all network access if the VPN disconnects. This can be useful when running an application (for example, a BitTorrent client) that you do not want to "leak" data outside of the VPN.

It is not a "firewall", which can prevent all network access except through the VPN.

The difference is like the difference between a door that automatically closes when there's a fire (the "kill switch"), and a door with a doorman who only lets people through if they are going to a particular destination (the "firewall").

After Tunnelblick's kill switch has been activated your computer will not be able to access anything through the network, including the Internet. When that has happened, Tunnelblick's menu will have an additional command, "Re-enable network access", which will restore all network access. (In the analogy above, it will reopen the door.)

Notes:

  1. The kill switch should not be used when more than one VPN is connected at the same time.

  2. All network access is disabled, even non-Internet access to your local network and to networks connected through FireWire, Thunderbolt, and Bluetooth. (Bluetooth keyboards and mice are not affected.)

  3. Network access is disabled until you re-enable it, even after you restart your computer.

  4. If Tunnelblick or OpenVPN are not running, network access will not be disabled. For example, if your computer crashes, network access will be enabled when it restarts.

Setup

Tunnelblick's kill switch is controlled separately for each VPN you have (but see Changing Multiple Settings at Once), and it can be set up to be triggered by expected and/or unexpected disconnections.

The settings are found on the "Settings" tab of the "Configurations" panel of Tunnelblick's "VPN Details" window:

Tunnelblick 'VPN Details' window showing a the 'Settings' tab of the 'Configurations' panel with 'on expected disconnect' set to 'do nothing' and 'on unexpected disconnect' set to 'disable network access

In the above screenshot, which has the "Home" VPN selected, "On expected disconnect" is set to "Do nothing" (kill switch inactive) and "On unexpected disconnect" is set to "Disable network access" (kill switch active). If there is an expected disconnection, nothing special will be done. If an unexpected disconnection occurs, however, all network access will be disabled.

Use

When the kill switch has been activated:

  • A notification will be displayed;

  • The "Re-enable Network Access" command will appear at the top of Tunnelblick's menu; and

  • Network access will be disabled until you re-enable it. You can do that using Tunnelblick's "Re-enable Network Access" menu command.

If network access has been disabled when you quit or launch Tunnelblick or try to connect a VPN, Tunnelblick will ask if you want to re-enable it.

Re-Enabling Network Access Manually

If network access has been disabled and you cannot run Tunnelblick, network access can be restored manually:

Launch System Preferences, and click on "Network".

For each network service that is labeled "Inactive"

  1. Click to select the network service;

  2. Click on the little "gear" icon at the bottom of the list; and

  3. Click on "Make Service Active".

If you wish, turn Wi-Fi on. You can use the Wi-Fi icon in the menu bar, or, in the "Network" System Preferences, select the Wi-Fi service in the list on the left and then click the "Turn Wi-Fi On" button.