Killswitch is not working with OpenVPN

[munibsiddiqui]

Hi,
Thank you for this awesome utility. Recently, I am facing the following problem with KillSwitch.
When connecting with IKEv2 and IPSec protocol the KillSwitch works great but as soon as I connect with OpenVPN (TCP or UDP) it stops the entire networks.

I have also checked it the rules are applied correctly using the command pfctl -s rules and it shows me the rules applied.

@nbari Please help me in this context. I will really appreciate your help.

[nbari]

Hi @munibsiddiqui I don't fully understand the problem

When connecting with IKEv2 and IPSec protocol the KillSwitch works great but as soon as

After you have the VPN and killswitch you want to connect to another VPN? is yes then makes sense because the other VPN may be adding its own routes the ones are probably closed by the existing VPN, if you want to have "chained" VPNs, I found it easy to have one in the router and then one in my devices.

[munibsiddiqui]

@nbari Thank you for quick response.

Unfortunately thats not the problem. Let me explain it in steps.

Steps

1. Connect with IKEv2 protocol
2. apply killswitch
3. It working as expected in case of auto disconnect (it stops all the network traffic)
4. Disconnect IKEv2 connection.

Now When I connect with OpenVPN protocol. (ExpressVPN, NordVPN, Manual with Configuration)

1. Connect with OpenVPN protocol
2. apply killswitch
3. It stop all the traffic right away even if I am connected with the VPN

I hope you understand the problem well now.

[nbari]

Hi, try to use your peer IP:

killswitch -ip <your peer IP> 

normally is detected automatically

[munibsiddiqui]

@nbari Yes it detect automatically. But i did tried what you said and the results are same.

➜  ~ sudo killswitch -ip 79.142.64.209 -e
Interface  MAC address         IP
en0        a0:78:17:99:d6:61   172.17.21.218/16
en6        00:e0:4c:68:06:75   192.168.62.149/24
utun2                          10.5.62.7

Public IP address: 79.142.64.205
PEER IP address:   79.142.64.209

# --------------------------------------------------------------
# Loading rules
# --------------------------------------------------------------
No ALTQ support in kernel
ALTQ related functions disabled
block drop all
block drop out quick inet6 all
pass inet proto udp from any to 224.0.0.0/4 keep state
pass inet proto udp from 224.0.0.0/4 to any keep state
pass inet from any to 255.255.255.255 flags S/SA keep state
pass inet from 255.255.255.255 to any flags S/SA keep state
pass on en0 proto udp from any port 67:68 to any port 67:68 keep state
pass on en0 inet proto tcp from any to 79.142.64.209 flags S/SA keep state
pass on en0 inet proto udp from any to 79.142.64.209 keep state
pass on en6 proto udp from any port 67:68 to any port 67:68 keep state
pass on en6 inet proto tcp from any to 79.142.64.209 flags S/SA keep state
pass on en6 inet proto udp from any to 79.142.64.209 keep state
pass on utun2 all flags S/SA keep state

STATES:
ALL udp 224.0.0.251:5353 <- 172.17.23.216:5353       NO_TRAFFIC:SINGLE
ALL icmp 10.5.62.7:7180 -> 8.8.8.8:0       0:0
ALL udp 192.168.62.149:51780 -> 216.58.208.74:443       SINGLE:NO_TRAFFIC
ALL udp 224.0.0.251:5353 <- 172.17.23.108:5353       NO_TRAFFIC:SINGLE
ALL udp 224.0.0.251:5353 <- 172.17.23.89:5353       NO_TRAFFIC:SINGLE
ALL udp 192.168.62.149:54816 -> 173.194.76.189:443       SINGLE:NO_TRAFFIC
ALL udp 192.168.62.149:54237 -> 173.194.76.189:443       SINGLE:NO_TRAFFIC
ALL udp 192.168.62.149:60678 -> 142.250.185.46:443       SINGLE:NO_TRAFFIC
ALL udp 10.5.62.7:63666 -> 79.142.64.208:53       SINGLE:NO_TRAFFIC
ALL udp 10.5.62.7:62679 -> 79.142.64.208:53       SINGLE:NO_TRAFFIC
ALL udp 224.0.0.251:5353 <- 172.17.23.55:5353       NO_TRAFFIC:SINGLE
ALL udp 192.168.62.149:60162 -> 172.217.169.238:443       SINGLE:NO_TRAFFIC
ALL udp 10.5.62.7:53575 -> 79.142.64.208:53       SINGLE:NO_TRAFFIC
ALL udp 224.0.0.251:5353 <- 172.17.18.166:5353       NO_TRAFFIC:SINGLE

It stops all the network activity, despite being connected with VPN.

[nbari]

The VPN is in utun2? probably is running in another interface, what about DNS queries? after VPN is on ping to IP works for example trying ping to 1.1.1.1?

By the way what color/palette for your terminal you are using (looks very nice)

[munibsiddiqui]

@nbari Yes VPN interface is utun2.

If VPN is connected and KillSwitch is enabled

➜  ~ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

If VPN is Connected and KillSwitch is disabled

➜  ~ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=61 time=190.002 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=61 time=239.164 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=61 time=383.040 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=61 time=305.962 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=61 time=353.625 ms
64 bytes from 1.1.1.1: icmp_seq=5 ttl=61 time=277.815 ms

I am using iTerm2 with theme the following theme :)
# See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes ZSH_THEME="robbyrussell"

[munibsiddiqui]

utun2 is VPN interface.

[nbari]

some VPN clients come with a killswitch try to disable it, what provider is this? there are multiple things to check/do but instead of guessing I would suggest installing Wireshark, you open it and start your VPN, you will see a lot of traffic, and then you enable the killswitch, there you will catch all the request, including the peer IP as many other requests based on that firewall rules can be stunned

[munibsiddiqui]

@nbari Did tried but no fruitful result :(

[munibsiddiqui]

@nbari I tried to checked the pflog. It seems like the packet being blocked by the rules on utun2. I am not sure why, please have a look at the given log may be you can help me in right direction.

00:00:00.000000 rule 0/0(match): block in on en0: 79.142.64.209.80 > 172.17.21.218.51842: Flags [P.], seq 968416655:968417302, ack 2727276032, win 48970, length 647: HTTP
00:00:00.133190 rule 0/0(match): block out on utun2: 10.5.62.21.51939 > 142.251.36.46.443: Flags [P.], seq 3778316214:3778316253, ack 4148531121, win 2048, options [nop,nop,TS val 7565058 ecr 589252711], length 39
00:00:00.037923 rule 0/0(match): block in on en0: 79.142.64.209.80 > 172.17.21.218.51842: Flags [.], ack 68, win 48970, length 0
00:00:00.112265 rule 0/0(match): block out on en0: 172.17.21.218.51842 > 79.142.64.209.80: Flags [P.], seq 4294966773:344, ack 0, win 4096, length 867: HTTP
00:00:00.080725 rule 0/0(match): block in on en0: fe80::1c3f:469f:fd46:194c.5353 > ff02::fb.5353: 0 [1a] [17q] [1au] PTR (QU)? _airport._tcp.local. PTR (QU)? _uscan._tcp.local. PTR (QU)? _pdl-datastream._tcp.local. PTR (QU)? _ipp._tcp.local. PTR (QU)? _scanner._tcp.local. PTR (QU)? _ptp._tcp.local. PTR (QU)? _ippusb._tcp.local. PTR (QU)? _printer._tcp.local. PTR (QU)? _uscans._tcp.local. PTR (QU)? _ipps._tcp.local. PTR (QU)? _rdlink._tcp.local. PTR (QU)? _googlecast._tcp.local. PTR (QU)? _apple-mobdev2._tcp.local. PTR (QU)? _afpovertcp._tcp.local. PTR (QU)? _smb._tcp.local. PTR (QU)? _rfb._tcp.local. PTR (QU)? _adisk._tcp.local. (334)
00:00:00.115925 rule 0/0(match): block out on utun2: 10.5.62.21.51961 > 193.45.6.7.80: Flags [P.], seq 2943029840:2943030009, ack 4144419223, win 2048, options [nop,nop,TS val 1727223859 ecr 3215007010], length 169: HTTP: GET /updates/wf/diffs/wf0051.dat.zsm HTTP/1.0
00:00:00.036148 rule 0/0(match): block out on utun2: 10.5.62.21.51971 > 142.251.39.110.443: Flags [P.], seq 584091005:584091044, ack 3243437065, win 2048, options [nop,nop,TS val 2641552638 ecr 1068133638], length 39
00:00:00.052260 rule 0/0(match): block in on en0: 79.142.64.209.80 > 172.17.21.218.51842: Flags [P.], seq 0:647, ack 68, win 48970, length 647: HTTP
00:00:00.008858 rule 0/0(match): block out on utun2: 10.5.62.21.51939 > 142.251.36.46.443: Flags [P.], seq 0:39, ack 1, win 2048, options [nop,nop,TS val 7565500 ecr 589252711], length 39
00:00:00.093546 rule 0/0(match): block in on en0: fe80::18d7:8884:2fce:e05.5353 > ff02::fb.5353: 0 [3q] [1au] PTR (QU)? _companion-link._tcp.local. PTR (QU)? _homekit._tcp.local. PTR (QU)? _sleep-proxy._udp.local. (112)
00:00:00.204005 rule 0/0(match): block in on en0: fe80::1c3f:469f:fd46:194c.5353 > ff02::fb.5353: 0 [1au] PTR (QM)? _sleep-proxy._udp.local. (70)
00:00:00.000041 rule 0/0(match): block in on en0: fe80::416:1575:2291:98b1.5353 > ff02::fb.5353: 0*- [0q] 2/0/6 PTR SunyyanM-bM-^@M-^Ys MacBook Pro._companion-link._tcp.local., TXT "model=MacBookPro17,1" "osxvers=21" "icolor=1" (433)
00:00:00.000011 rule 0/0(match): block in on en0: 172.17.18.235.57621 > 172.17.23.255.57621: UDP, length 44
00:00:00.030283 rule 0/0(match): block out on utun2: 172.17.21.218.51817 > 52.163.231.110.443: Flags [FP.], seq 3437435373:3437435477, ack 236224985, win 4096, length 104
00:00:00.016337 rule 0/0(match): block out on en0: 172.17.21.218.51842 > 79.142.64.209.80: Flags [P.], seq 4294966773:770, ack 0, win 4096, length 1293: HTTP
00:00:00.107833 rule 0/0(match): block out on utun2: 172.17.21.218.51835 > 3.67.245.95.443: Flags [P.], seq 3273176893:3273176947, ack 1119227523, win 2048, options [nop,nop,TS val 1658621976 ecr 1346191747], length 54
00:00:00.051375 rule 0/0(match): block in on en0: 13.232.67.210.443 > 172.17.21.218.51731: Flags [.], ack 1535778665, win 8, options [nop,nop,TS val 1179813331 ecr 0], length 0
00:00:00.056507 rule 0/0(match): block in on en0: 79.142.64.209.80 > 172.17.21.218.51842: Flags [P.], seq 0:647, ack 68, win 48970, length 647: HTTP
00:00:00.029663 rule 0/0(match): block out on utun2: 172.17.21.218.51720 > 18.197.249.189.443: Flags [P.], seq 1271948921:1271948975, ack 2372930385, win 2048, options [nop,nop,TS val 679691535 ecr 344901213], length 54
00:00:00.096897 rule 0/0(match): block out on utun2: 10.5.62.21.51939 > 142.251.36.46.443: Flags [P.], seq 0:39, ack 1, win 2048, options [nop,nop,TS val 7566182 ecr 589252711], length 39
00:00:00.005680 rule 0/0(match): block out on utun2: 10.5.62.21.51961 > 193.45.6.7.80: Flags [P.], seq 0:169, ack 1, win 2048, options [nop,nop,TS val 1727224643 ecr 3215007010], length 169: HTTP: GET /updates/wf/diffs/wf0051.dat.zsm HTTP/1.0
00:00:00.009041 rule 0/0(match): block out on utun2: 10.5.62.21.51971 > 142.251.39.110.443: Flags [P.], seq 0:39, ack 1, win 2048, options [nop,nop,TS val 2641553395 ecr 1068133638], length 39
00:00:00.004792 rule 0/0(match): block in on en0: fe80::1830:c1cb:581e:8fa5.5353 > ff02::fb.5353: 0 [21q] [2n] [1au] PTR (QU)? lb._dns-sd._udp.local. PTR (QU)? _airport._tcp.local. PTR (QU)? _rdlink._tcp.local. PTR (QU)? _ptp._tcp.local. PTR (QU)? _uscan._tcp.local. PTR (QU)? _uscans._tcp.local. PTR (QU)? _ippusb._tcp.local. PTR (QU)? _scanner._tcp.local. PTR (QU)? _printer._tcp.local. PTR (QU)? _pdl-datastream._tcp.local. PTR (QU)? _ipps._tcp.local. PTR (QU)? _ipp._tcp.local. PTR (QU)? _googlecast._tcp.local. PTR (QU)? _daap._tcp.local. PTR (QU)? _touch-remote._tcp.local. PTR (QU)? _airplay._tcp.local. PTR (QU)? _raop._tcp.local. PTR (QU)? _homekit._tcp.local. PTR (QU)? _sleep-proxy._udp.local. ANY (QU)? NomanM-bM-^@M-^Ys MacBook Pro._airplay._tcp.local. ANY (QU)? F02F4B1074BB@NomanM-bM-^@M-^Ys MacBook Pro._raop._tcp.local. (463)
00:00:00.001377 rule 0/0(match): block in on en0: fe80::1830:c1cb:581e:8fa5.5353 > ff02::fb.5353: 0*- [0q] 4/0/3 PTR _airplay._tcp.local., PTR _raop._tcp.local., (Cache flush) PTR clw-gui-noman.local., (Cache flush) PTR clw-gui-noman.local. (289)
00:00:00.100650 rule 0/0(match): block in on en0: fe80::1c3f:469f:fd46:194c.5353 > ff02::fb.5353: 0 [1a] [17q] [1au] PTR (QM)? _airport._tcp.local. PTR (QM)? _uscan._tcp.local. PTR (QM)? _pdl-datastream._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _scanner._tcp.local. PTR (QM)? _ptp._tcp.local. PTR (QM)? _ippusb._tcp.local. PTR (QM)? _printer._tcp.local. PTR (QM)? _uscans._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _rdlink._tcp.local. PTR (QM)? _googlecast._tcp.local. PTR (QM)? _apple-mobdev2._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _rfb._tcp.local. PTR (QM)? _adisk._tcp.local. (334)
00:00:00.035272 rule 0/0(match): block out on utun2: 172.17.21.218.51847 > 142.250.4.188.5228: Flags [F.], seq 3324494444, ack 1944611383, win 2048, options [nop,nop,TS val 2517156196 ecr 3016470099], length 0
00:00:00.072525 rule 0/0(match): block in on en0: fe80::1830:c1cb:581e:8fa5.5353 > ff02::fb.5353: 0 [2q] [2n] [1au] ANY (QM)? NomanM-bM-^@M-^Ys MacBook Pro._airplay._tcp.local. ANY (QM)? F02F4B1074BB@NomanM-bM-^@M-^Ys MacBook Pro._raop._tcp.local. (189)
00:00:00.089488 rule 0/0(match): block out on utun2: 10.5.62.21.51933 > 142.250.145.189.443: Flags [.], ack 1434731722, win 2048, length 0
00:00:00.111539 rule 0/0(match): block in on en0: fe80::18d7:8884:2fce:e05.5353 > ff02::fb.5353: 0 [1a] [2q] [1au] PTR (QM)? _companion-link._tcp.local. PTR (QM)? _homekit._tcp.local. (126)
00:00:00.001379 rule 0/0(match): block in on en0: fe80::1830:c1cb:581e:8fa5.5353 > ff02::fb.5353: 0 [3q] [4n] [1au] ANY (QM)? NomanM-bM-^@M-^Ys MacBook Pro._airplay._tcp.local. ANY (QM)? F02F4B1074BB@NomanM-bM-^@M-^Ys MacBook Pro._raop._tcp.local. ANY (QU)? clw-gui-noman.local. (239)
00:00:00.034335 rule 0/0(match): block out on utun2: 10.5.62.21.51938 > 18.168.175.133.443: Flags [.], ack 1112632671, win 2049, length 0
00:00:00.152120 rule 0/0(match): block out on utun2: 10.5.62.21.51934 > 18.168.175.133.443: Flags [.], ack 3612279908, win 2048, length 0
00:00:00.006593 rule 0/0(match): block out on utun2: 172.17.21.218.51835 > 3.67.245.95.443: Flags [P.], seq 4294966858:54, ack 1, win 2048, options [nop,nop,TS val 1658622828 ecr 1346191747], length 492
00:00:00.111304 rule 0/0(match): block out on en0: 172.17.21.218.51842 > 79.142.64.209.80: Flags [.], seq 4294966773:857, ack 0, win 4096, length 1380: HTTP
00:00:00.001181 rule 0/0(match): block in on en0: fe80::1830:c1cb:581e:8fa5.5353 > ff02::fb.5353: 0 [2n] [1au] ANY (QM)? clw-gui-noman.local. (110)
00:00:00.000287 rule 0/0(match): block in on en0: fe80::1830:c1cb:581e:8fa5.5353 > ff02::fb.5353: 0*- [0q] 6/0/3 (Cache flush) TXT "act=2" "acl=0" "deviceid=F0:2F:4B:10:74:BB" "fex=1c9/St5PFbgG" "features=0x4A7FCFD5,0xB8154FDE" "rsf=0x8" "flags=0x204" "gid=2EE0D7AF-B4C5-4B36-B92D-0A359A95DE89" "igl=0" "gcgl=0" "model=MacBookPro18,1" "at=4" "protovers=1.1" "pi=d4f80988-eab9-4aca-80b7-9166fc5c3801" "psi=779DC527-52A0-4D12-940F-FA0DDD464976" "pk=4afbed3f3d7439fb5f908da13b8c30cdea630d14d6bc129fa2af95f5465ad5ed" "srcvers=595.13.1", PTR NomanM-bM-^@M-^Ys MacBook Pro._airplay._tcp.local., (Cache flush) TXT "cn=0,1,2,3" "da=true" "et=0,3,5" "ft=0x4A7FCFD5,0xB8154FDE" "sf=0x204" "md=0,1,2" "am=MacBookPro18,1" "pk=4afbed3f3d7439fb5f908da13b8c30cdea630d14d6bc129fa2af95f5465ad5ed" "tp=UDP" "vn=65537" "vs=595.13.1" "vv=0", PTR F02F4B1074BB@NomanM-bM-^@M-^Ys MacBook Pro._raop._tcp.local., (Cache flush) SRV clw-gui-noman.local.:7000 0 0, (Cache flush) SRV clw-gui-noman.local.:7000 0 0 (828)
00:00:00.083687 rule 0/0(match): block out on utun2: 10.5.62.21.51940 > 173.194.69.189.443: Flags [.], ack 1193869966, win 2048, length 0
00:00:00.021867 rule 0/0(match): block in on en0: fe80::416:1575:2291:98b1.5353 > ff02::fb.5353: 0 PTR (QM)? _spotify-connect._tcp.local. (45)
00:00:00.098829 rule 0/0(match): block in on en0: 172.17.19.110 > 224.0.0.1: igmp query v2
00:00:00.000163 rule 0/0(match): block in on en0: fe80::1830:c1cb:581e:8fa5.5353 > ff02::fb.5353: 0 [4a] [7q] [2n] [1au] PTR (QM)? lb._dns-sd._udp.local. PTR (QM)? _daap._tcp.local. PTR (QM)? _touch-remote._tcp.local. PTR (QM)? _airplay._tcp.local. PTR (QM)? _raop._tcp.local. PTR (QM)? _sleep-proxy._udp.local. ANY (QM)? clw-gui-noman.local. (389)
00:00:00.102871 rule 0/0(match): block in on en0: fe80::1830:c1cb:581e:8fa5.5353 > ff02::fb.5353: 0*- [0q] 4/0/3 PTR _airplay._tcp.local., PTR _raop._tcp.local., (Cache flush) PTR clw-gui-noman.local., (Cache flush) PTR clw-gui-noman.local. (289)
00:00:00.000069 rule 0/0(match): block in on en0: fe80::76ac:b9ff:fe42:a769.41328 > ff02::1.10001: UDP, length 166
00:00:00.018232 rule 0/0(match): block out on utun2: 172.17.21.218.51550 > 17.253.53.206.443: Flags [FP.], seq 903369845:903369908, ack 2050907746, win 2048, options [nop,nop,TS val 1575470771 ecr 3530759047], length 63
00:00:00.111193 rule 0/0(match): block out on utun2: 172.17.21.218.51848 > 74.125.200.188.5228: Flags [F.], seq 2374419282, ack 1046122093, win 2048, options [nop,nop,TS val 3752451208 ecr 3861651858], length 0
00:00:00.001100 rule 0/0(match): block out on utun2: 10.5.62.21.51939 > 142.251.36.46.443: Flags [P.], seq 0:39, ack 1, win 2048, options [nop,nop,TS val 7567346 ecr 589252711], length 39
00:00:00.074368 rule 0/0(match): block in on en0: fe80::1830:c1cb:581e:8fa5.5353 > ff02::fb.5353: 0*- [0q] 2/0/2 (Cache flush) AAAA fe80::1830:c1cb:581e:8fa5, (Cache flush) A 172.17.17.177 (124)
00:00:00.000022 rule 0/0(match): block in on en0: 79.142.64.209.80 > 172.17.21.218.51842: Flags [P.], seq 0:647, ack 68, win 48970, length 647: HTTP
00:00:00.088707 rule 0/0(match): block out on utun2: 10.5.62.21.51971 > 142.251.39.110.443: Flags [P.], seq 0:39, ack 1, win 2048, options [nop,nop,TS val 2641554708 ecr 1068133638], length 39
00:00:00.047097 rule 0/0(match): block out on utun2: 10.5.62.21.51961 > 193.45.6.7.80: Flags [P.], seq 0:169, ack 1, win 2048, options [nop,nop,TS val 1727226012 ecr 3215007010], length 169: HTTP: GET /updates/wf/diffs/wf0051.dat.zsm HTTP/1.0
00:00:00.258066 rule 0/0(match): block out on utun2: 10.5.62.21.51956 > 13.69.109.131.443: Flags [P.], seq 1434409835:1434410260, ack 2485435128, win 4096, length 425
00:00:00.117838 rule 0/0(match): block in on en0: fe80::1830:c1cb:581e:8fa5.5353 > ff02::fb.5353: 0*- [0q] 6/0/3 (Cache flush) TXT "act=2" "acl=0" "deviceid=F0:2F:4B:10:74:BB" "fex=1c9/St5PFbgG" "features=0x4A7FCFD5,0xB8154FDE" "rsf=0x8" "flags=0x204" "gid=2EE0D7AF-B4C5-4B36-B92D-0A359A95DE89" "igl=0" "gcgl=0" "model=MacBookPro18,1" "at=4" "protovers=1.1" "pi=d4f80988-eab9-4aca-80b7-9166fc5c3801" "psi=779DC527-52A0-4D12-940F-FA0DDD464976" "pk=4afbed3f3d7439fb5f908da13b8c30cdea630d14d6bc129fa2af95f5465ad5ed" "srcvers=595.13.1", PTR NomanM-bM-^@M-^Ys MacBook Pro._airplay._tcp.local., (Cache flush) TXT "cn=0,1,2,3" "da=true" "et=0,3,5" "ft=0x4A7FCFD5,0xB8154FDE" "sf=0x204" "md=0,1,2" "am=MacBookPro18,1" "pk=4afbed3f3d7439fb5f908da13b8c30cdea630d14d6bc129fa2af95f5465ad5ed" "tp=UDP" "vn=65537" "vs=595.13.1" "vv=0", PTR F02F4B1074BB@NomanM-bM-^@M-^Ys MacBook Pro._raop._tcp.local., (Cache flush) SRV clw-gui-noman.local.:7000 0 0, (Cache flush) SRV clw-gui-noman.local.:7000 0 0 (828)
00:00:00.204674 rule 0/0(match): block in on en0: 3.67.245.95.443 > 172.17.21.218.51835: Flags [.], ack 4294966857, win 8, options [nop,nop,TS val 1346253817 ecr 0], length 0
00:00:00.000021 rule 0/0(match): block in on en0: 18.197.249.189.443 > 172.17.21.218.51720: Flags [.], ack 4294966697, win 8, options [nop,nop,TS val 344962860 ecr 0], length 0
00:00:00.310422 rule 0/0(match): block in on en0: fe80::1830:c1cb:581e:8fa5.5353 > ff02::fb.5353: 0*- [0q] 2/0/2 (Cache flush) AAAA fe80::1830:c1cb:581e:8fa5, (Cache flush) A 172.17.17.177 (124)
00:00:00.049314 rule 0/0(match): block out on utun2: 10.5.62.21.51942 > 142.251.39.106.443: Flags [.], ack 464417595, win 2048, length 0
00:00:00.050268 rule 0/0(match): block in on en0: 172.17.19.74 > 224.0.0.251: igmp v2 report 224.0.0.251
00:00:00.203217 rule 0/0(match): block in on en0: fe80::1c3f:469f:fd46:194c.5353 > ff02::fb.5353: 0 [2a] [17q] [1au] PTR (QM)? _airport._tcp.local. PTR (QM)? _uscan._tcp.local. PTR (QM)? _pdl-datastream._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _scanner._tcp.local. PTR (QM)? _ptp._tcp.local. PTR (QM)? _ippusb._tcp.local. PTR (QM)? _printer._tcp.local. PTR (QM)? _uscans._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _rdlink._tcp.local. PTR (QM)? _googlecast._tcp.local. PTR (QM)? _apple-mobdev2._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _rfb._tcp.local. PTR (QM)? _adisk._tcp.local. (371)
00:00:00.108117 rule 0/0(match): block out on en0: 172.17.21.218.51842 > 79.142.64.209.80: Flags [.], seq 4294966773:857, ack 0, win 4096, length 1380: HTTP
00:00:00.406166 rule 0/0(match): block in on en0: fe80::1830:c1cb:581e:8fa5.5353 > ff02::fb.5353: 0*- [0q] 10/0/5 (Cache flush) TXT "act=2" "acl=0" "deviceid=F0:2F:4B:10:74:BB" "fex=1c9/St5PFbgG" "features=0x4A7FCFD5,0xB8154FDE" "rsf=0x8" "flags=0x204" "gid=2EE0D7AF-B4C5-4B36-B92D-0A359A95DE89" "igl=0" "gcgl=0" "model=MacBookPro18,1" "at=4" "protovers=1.1" "pi=d4f80988-eab9-4aca-80b7-9166fc5c3801" "psi=779DC527-52A0-4D12-940F-FA0DDD464976" "pk=4afbed3f3d7439fb5f908da13b8c30cdea630d14d6bc129fa2af95f5465ad5ed" "srcvers=595.13.1", PTR _airplay._tcp.local., PTR NomanM-bM-^@M-^Ys MacBook Pro._airplay._tcp.local., (Cache flush) TXT "cn=0,1,2,3" "da=true" "et=0,3,5" "ft=0x4A7FCFD5,0xB8154FDE" "sf=0x204" "md=0,1,2" "am=MacBookPro18,1" "pk=4afbed3f3d7439fb5f908da13b8c30cdea630d14d6bc129fa2af95f5465ad5ed" "tp=UDP" "vn=65537" "vs=595.13.1" "vv=0", PTR _raop._tcp.local., PTR F02F4B1074BB@NomanM-bM-^@M-^Ys MacBook Pro._raop._tcp.local., (Cache flush) SRV clw-gui-noman.local.:7000 0 0, (Cache flush) SRV clw-gui-noman.local.:7000 0 0, (Cache flush) PTR clw-gui-noman.local., (Cache flush) PTR clw-gui-noman.local. (1037)
00:00:00.161427 rule 0/0(match): block out on utun2: 10.5.62.21.51944 > 142.251.39.106.443: Flags [.], ack 2729829529, win 2048, length 0
00:00:00.064044 rule 0/0(match): block out on utun2: 10.5.62.21.51939 > 142.251.36.46.443: Flags [P.], seq 0:39, ack 1, win 2048, options [nop,nop,TS val 7569475 ecr 589252711], length 39
00:00:00.055131 rule 0/0(match): block out on utun2: 10.5.62.21.51956 > 13.69.109.131.443: Flags [P.], seq 0:1278, ack 1, win 4096, length 1278
00:00:00.407612 rule 0/0(match): block out on utun2: 10.5.62.21.51971 > 142.251.39.110.443: Flags [P.], seq 0:39, ack 1, win 2048, options [nop,nop,TS val 2641557133 ecr 1068133638], length 39
00:00:00.034102 rule 0/0(match): block out on utun2: 10.5.62.21.51945 > 40.115.22.134.443: Flags [.], ack 860749834, win 2048, length 0
00:00:00.011120 rule 0/0(match): block out on utun2: 172.17.21.218.51817 > 52.163.231.110.443: Flags [FP.], seq 4294967239:104, ack 1, win 4096, length 161
00:00:00.114608 rule 0/0(match): block out on utun2: 10.5.62.21.51961 > 193.45.6.7.80: Flags [P.], seq 0:169, ack 1, win 2048, options [nop,nop,TS val 1727228548 ecr 3215007010], length 169: HTTP: GET /updates/wf/diffs/wf0051.dat.zsm HTTP/1.0
00:00:00.072611 rule 0/0(match): block in on en0: fe80::1830:c1cb:581e:8fa5.5353 > ff02::fb.5353: 0 [4a] [6q] [1au] PTR (QM)? lb._dns-sd._udp.local. PTR (QM)? _daap._tcp.local. PTR (QM)? _touch-remote._tcp.local. PTR (QM)? _airplay._tcp.local. PTR (QM)? _raop._tcp.local. PTR (QM)? _sleep-proxy._udp.local. (325)
00:00:00.000821 rule 0/0(match): block in on en0: 79.142.64.209.80 > 172.17.21.218.51842: Flags [.], seq 0:512, ack 68, win 48970, length 512: HTTP
00:00:00.195562 rule 0/0(match): block out on utun2: 10.5.62.21.51946 > 40.115.22.134.443: Flags [.], ack 2529453762, win 2048, length 0
00:00:00.113481 rule 0/0(match): block in on en0: fe80::1830:c1cb:581e:8fa5.5353 > ff02::fb.5353: 0*- [0q] 2/0/2 (Cache flush) AAAA fe80::1830:c1cb:581e:8fa5, (Cache flush) A 172.17.17.177 (124)
00:00:00.308436 rule 0/0(match): block out on utun2: 10.5.62.21.51948 > 142.251.39.106.443: Flags [.], ack 172385171, win 2048, length 0
00:00:00.137860 rule 0/0(match): block out on utun2: 10.5.62.21.51947 > 142.251.39.106.443: Flags [.], ack 3052871550, win 2048, length 0
00:00:00.271296 rule 0/0(match): block in on en0: fe80::1830:c1cb:581e:8fa5.5353 > ff02::fb.5353: 0*- [0q] 2/0/1 PTR NomanM-bM-^@M-^Ys MacBook Pro._airplay._tcp.local., PTR F02F4B1074BB@NomanM-bM-^@M-^Ys MacBook Pro._raop._tcp.local. (151)
00:00:00.097362 rule 0/0(match): block in on en0: 140.82.114.25.443 > 172.17.21.218.51840: Flags [P.], seq 380414529:380414554, ack 893759976, win 32, options [nop,nop,TS val 2543583142 ecr 0], length 25
00:00:00.034056 rule 0/0(match): block out on utun2: 10.5.62.21.51956 > 13.69.109.131.443: Flags [P.], seq 0:1278, ack 1, win 4096, length 1278
00:00:00.000429 rule 0/0(match): block in on en0: 140.82.114.25.443 > 172.17.21.218.51840: Flags [P.], seq 0:25, ack 1, win 32, options [nop,nop,TS val 2543583276 ecr 0], length 25
00:00:00.685625 rule 0/0(match): block in on en0: fe80::c838:de30:647e:15f0.5353 > ff02::fb.5353: 0 PTR (QM)? _spotify-connect._tcp.local. (45)
00:00:00.140249 rule 0/0(match): block out on utun2: 10.5.62.21.51952 > 18.168.172.238.443: Flags [.], ack 2984845612, win 2048, length 0
00:00:00.268402 rule 0/0(match): block in on en0: 140.82.114.25.443 > 172.17.21.218.51840: Flags [P.], seq 0:25, ack 1, win 32, options [nop,nop,TS val 2543584299 ecr 0], length 25
00:00:00.121637 rule 0/0(match): block out on en0: 172.17.21.218.51842 > 79.142.64.209.80: Flags [.], seq 4294966773:857, ack 0, win 4096, length 1380: HTTP
00:00:00.198329 rule 0/0(match): block out on utun2: 10.5.62.21.51941 > 142.251.39.106.443: Flags [.], ack 2470812091, win 2048, length 0
00:00:00.610236 rule 0/0(match): block out on utun2: 172.17.21.218.51726 > 172.217.194.139.443: Flags [.], seq 1910222852:1910224220, ack 44745089, win 2048, options [nop,nop,TS val 4208416281 ecr 150034143], length 1368
00:00:00.092872 rule 0/0(match): block in on en0: fe80::1052:3ad7:2617:b988.5353 > ff02::fb.5353: 0 [4q] [1au] PTR (QU)? lb._dns-sd._udp.local. PTR (QU)? _companion-link._tcp.local. PTR (QU)? _homekit._tcp.local. PTR (QU)? _sleep-proxy._udp.local. (129)
00:00:00.000023 rule 0/0(match): block in on en0: 140.82.114.25.443 > 172.17.21.218.51840: Flags [.], ack 0, win 32, options [nop,nop,TS val 2543585370 ecr 0], length 0
00:00:00.121326 rule 0/0(match): block out on utun2: 10.5.62.21.51939 > 142.251.36.46.443: Flags [P.], seq 0:39, ack 1, win 2048, options [nop,nop,TS val 7573531 ecr 589252711], length 39
00:00:00.572109 rule 0/0(match): block out on utun2: 10.5.62.21.51955 > 142.250.179.195.443: Flags [.], ack 803290816, win 2048, length 0
00:00:00.330664 rule 0/0(match): block in on en0: fe80::1052:3ad7:2617:b988.5353 > ff02::fb.5353: 0 [1a] [4q] [1au] PTR (QM)? lb._dns-sd._udp.local. PTR (QM)? _companion-link._tcp.local. PTR (QM)? _homekit._tcp.local. PTR (QM)? _sleep-proxy._udp.local. (167)
00:00:00.000026 rule 0/0(match): block in on en0: 140.82.114.25.443 > 172.17.21.218.51840: Flags [P.], seq 0:25, ack 1, win 32, options [nop,nop,TS val 2543586329 ecr 0], length 25
00:00:00.005522 rule 0/0(match): block out on utun2: 172.17.21.218.51718 > 13.83.65.43.443: Flags [F.], seq 263395627, ack 950353242, win 4096, length 0
00:00:00.034954 rule 0/0(match): block in on en0: 142.250.4.188.5228 > 172.17.21.218.51847: Flags [.], ack 4294967295, win 128, options [nop,nop,TS val 3016531389 ecr 0], length 0
00:00:00.006750 rule 0/0(match): block in on en0: 74.125.200.188.5228 > 172.17.21.218.51848: Flags [.], ack 4294967295, win 128, options [nop,nop,TS val 3861713018 ecr 0], length 0
00:00:00.108007 rule 0/0(match): block out on utun2: 10.5.62.21.51971 > 142.251.39.110.443: Flags [P.], seq 0:39, ack 1, win 2048, options [nop,nop,TS val 2641561781 ecr 1068133638], length 39
00:00:00.101092 rule 0/0(match): block out on utun2: 10.5.62.21.51956 > 13.69.109.131.443: Flags [P.], seq 0:1278, ack 1, win 4096, length 1278
00:00:00.284749 rule 0/0(match): block out on utun2: 10.5.62.21.51961 > 193.45.6.7.80: Flags [P.], seq 0:169, ack 1, win 2048, options [nop,nop,TS val 1727233421 ecr 3215007010], length 169: HTTP: GET /updates/wf/diffs/wf0051.dat.zsm HTTP/1.0
00:00:00.585655 rule 0/0(match): block in on en0: 79.142.64.209.80 > 172.17.21.218.51842: Flags [.], seq 0:256, ack 68, win 48970, length 256: HTTP
00:00:00.168988 rule 0/0(match): block out on utun2: 10.5.62.21.51959 > 142.250.179.195.443: Flags [.], ack 654221822, win 2048, length 0
00:00:00.153462 rule 0/0(match): block out on utun2: 172.17.21.218.51835 > 3.67.245.95.443: Flags [P.], seq 54:108, ack 1, win 2048, options [nop,nop,TS val 1658631898 ecr 1346191747], length 54
00:00:00.140746 rule 0/0(match): block out on utun2: 172.17.21.218.51720 > 18.197.249.189.443: Flags [P.], seq 54:108, ack 1, win 2048, options [nop,nop,TS val 679701460 ecr 344901213], length 54
00:00:00.048633 rule 0/0(match): block in on en0: fe80::3de3:cf32:c60a:75e6.5353 > ff02::fb.5353: 0 PTR (QM)? _googlecast._tcp.local. (40)
00:00:00.020799 rule 0/0(match): block out on en0: 172.17.21.218.51842 > 79.142.64.209.80: Flags [.], seq 4294966773:857, ack 0, win 4096, length 1380: HTTP
00:00:00.081139 rule 0/0(match): block in on en0: fe80::3de3:cf32:c60a:75e6.5353 > ff02::fb.5353: 0 PTR (QM)? _googlecast._tcp.local. (40)
00:00:00.000019 rule 0/0(match): block in on en0: 140.82.114.25.443 > 172.17.21.218.51840: Flags [P.], seq 25:49, ack 1, win 32, options [nop,nop,TS val 2543588141 ecr 0], length 24
00:00:00.000018 rule 0/0(match): block in on en0: 140.82.114.25.443 > 172.17.21.218.51840: Flags [FP.], seq 49, ack 1, win 32, options [nop,nop,TS val 2543588142 ecr 0], length 0
00:00:00.921554 rule 0/0(match): block in on en0: fe80::3de3:cf32:c60a:75e6.5353 > ff02::fb.5353: 0 PTR (QM)? _googlecast._tcp.local. (40)
00:00:00.000035 rule 0/0(match): block in on en0: fe80::3de3:cf32:c60a:75e6.5353 > ff02::fb.5353: 0 PTR (QM)? _googlecast._tcp.local. (40)
00:00:00.105812 rule 0/0(match): block in on en0: fe80::76ac:b9ff:fe42:a769.36863 > ff02::1.10001: UDP, length 166
00:00:00.333059 rule 0/0(match): block out on utun2: 10.5.62.21.51851 > 142.250.179.195.443: Flags [P.], seq 1497076127:1497076213, ack 2124571276, win 2048, options [nop,nop,TS val 4203234920 ecr 633725346], length 86
00:00:00.000028 rule 0/0(match): block out on utun2: 10.5.62.21.51851 > 142.250.179.195.443: Flags [P.], seq 86:125, ack 1, win 2048, options [nop,nop,TS val 4203234920 ecr 633725346], length 39
00:00:00.376782 rule 0/0(match): block out on utun2: 10.5.62.21.51939 > 142.251.36.46.443: Flags [P.], seq 0:39, ack 1, win 2048, options [nop,nop,TS val 7577892 ecr 589252711], length 39
00:00:00.123132 rule 0/0(match): block out on utun2: 10.5.62.21.51851 > 142.250.179.195.443: Flags [P.], seq 0:125, ack 1, win 2048, options [nop,nop,TS val 4203235416 ecr 633725346], length 125
00:00:

[nbari]

for that log what was the Peer IP ?

[munibsiddiqui]

@nbari The Peet IP was : 79.142.64.209

[nbari]

Something is strange since is blocking traffic to the peer ip:

 block out on en0: 172.17.21.218.51842 > 79.142.64.209 
 block in on en0: 79.142.64.209.80 > 172.17.21.218.51842

[munibsiddiqui]

@nbari Yes thats strange. We have the following rules in placed in PF.

pass on en0 proto udp from any port 67:68 to any port 67:68 keep state
pass on en0 inet proto tcp from any to 79.142.64.209 flags S/SA keep state
pass on en0 inet proto udp from any to 79.142.64.209 keep state
pass on en6 proto udp from any port 67:68 to any port 67:68 keep state
pass on en6 inet proto tcp from any to 79.142.64.209 flags S/SA keep state
pass on en6 inet proto udp from any to 79.142.64.209 keep state

[nbari]

if you can share credentials/provider I could give it a try

[munibsiddiqui]

@nbari Can I have your email address so that I can send you the required information.

[nbari]

install ssh-vault brew install ssh-vault, then from your terminal run this:

ssh-vault -u nbari create vpn.ssh

It will open your editor (probable vim), you write everything you need there, save and exit, and send me the vpn.ssh

SSH-VAULT;AES256;fd:c9:a5:ab:67:c2:6a:3b:6b:c9:72:d6:32:f8:a8:09
dmw4QlCPg2OUH3MKrfPLy2sfUNA4kciJvLaQsnuFFYbZREJGVJvjYMUANZhy9boF
....

[munibsiddiqui]

@nbari Sorry for late. Please see the following information.
vpn-information.txt

[nbari]

hi @munibsiddiqui I am indeed having the same issue, I will check it these days and hopefully try to come with something working

[nbari]

hi @munibsiddiqui here sharing some initial tests/findings, I notice that the tunnel is not changing the default gateway:

> route get 0.0.0.0
   route to: default
destination: default
       mask: default
    gateway: 192.168.50.1
  interface: en1
      flags: <UP,GATEWAY,DONE,STATIC,PRCLONING,GLOBAL>
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500         0

if using other protocols, the interface instead of being en1 could be something like ipsec, I tried changing the config to use something like redirect-gateway def1 or redirect-gateway autolocal but no luck, just for testing after the VPN was up I changed the default gateway:

sudo route delete default
sudo route change default -interface utun5

but the default killswitch rules block whole traffic, I will continue testing but maybe also this info help from your side to test.

What I am doing for debugging is:

$ sudo ifconfig pflog0 create

Do some changes in the rules and load them:

$ sudo pfctl -Fa -f /tmp/killswitch.pf.conf -e

Then check the logs with:

$ sudo tcpdump tcpdump -n -e -ttt -i pflog0

maybe we need to use the PF reply-to, not sure,but well give a try from your side and share your findings

[munibsiddiqui]

@nbari Awesome, I am trying to make few changes let see what happens :)

[munibsiddiqui]

@nbari I tried everything but haven't got any solution. But I found case which is interesting.

When KillSwitch is applied after connecting VPN is blocks all network packet, interestingly I disconnected the VPN and leave the KillSwitch rules in placed and then reconnect the VPN it does not block any packet. :) Not sure why but this is interesting. May be the rules are blocking some port.