Wireguard linux iptables killswitch.

Intro

Add the below to your interface section in your config. The MTU value is optional but you want to avoid fragmentation as much as possible so it is nice to have.

[Interface]
MTU = 1500
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

Caveat

The iptable rule will prevent you from being able to see/interact with local devices. So for example this will break visbility of Chromecast like devices.

Back to top