I do NOT guarantee that this will work. Try this on your own risk. You alone are responsible for finding out whether this solution works and is satisfactory for you, and does whatever you may think or hope that it does.

10 step guide to shutting down the internet connection should you VPN connection die.

A VPN connection is a way of using the internet anonymously. If you are reading this, chances are you already know what VPN is and what it is used for.

A problem with VPN is that the connection sometimes dies. There are various ways of dealing with this- most of which are based on simply attempting to reconnect as soon as a connection dies. However, during the time that you are unconnected, whatever you are doing on the internet is no longer being done anonymously, and anyone will be able to see and store your REAL IP address. This guide will attempt to describe how to attempt to avoid that leaking of your real IP address by shutting down your internet connection as soon as your VPN connection dies.

1. Set up a working VPN connection. There are other guides for doing this elsewhere. Some providers give you a guide for doing this when you sign up, others dont. Regardless, this is not the purpose of this guide. Google "How to VPN Ubuntu" for instructions.
2. Ubuntu comes with a firewall called UFW. There is a GUI for this firewall called "GUFW. Press Applications>Ubuntu Software Center (or Applications>Add/remove applications) and type GUFW in the search field. Install the program.
3. Connect to your VPN. Make sure the connection is successful and active, alive.
4. Find out your IP (http://www.whatismyip.com) OR, even better, find out the whole IP range of your VPN provider.

What is the difference between using your IP as provided by whatismyip.com and the whole IP range of you VPN provider? The difference is that if you use only the IP provided by whatismyip, all the setup we will do in the next steps will be valid for that IP only (and hence, probably also only that single connection). This means that the next time you connect to your VPN, your single IP as provided by whatismyip may differ from the one you have right now, and you will have to change the setup every time you connect to your VPN. On the other hand, if you have the whole IP range of your VPN provider, you can enter it once when making this setup and it will probably still work for your next connection, and your next, and your next and so on.

5. Go to System>Administration>Firewall Configuration. This is the GUFW program.
6. There are different versions of this program, and the GUI has changed recently in the newer versions. However, you should be able to understand what to do from the next steps regardless.
7. Select Reject on both Incoming and Outgoing, or, for the old GUI, By default Reject.
8. Now comes the fun part. Press Add to add a new rule. Switch to the Advanced tab (dont worry- its not that advanced). We will make two rules here. First, you want to

Allow In Both To (Your IP, that you collected from whatismyip.com, OR, your IP range, that you collected from your VPN provider or a trusted source that knows the IP range of your provider). Leave the rest of the fields blank.

Next, you want to

Allow Out Both From (The same IP again). Leave the rest of the fields blank.

9. Make sure that everything is correct, and try to surf around. You should be able to surf and go about your internet business as usual.
10. Now disconnect you VPN connection. Try to surf again. IMPORTANT: You MUST try to visit pages that you have not visited before, to ensure that your browser doesnt display cached versions of pages you often visit.

Hopefully, you will have problems surfing. It should be impossible. This is the whole point.

We told the firewall to only allow your computer to do stuff on the internet as long as your VPN connection is alive. Should it die, you should no longer be able to connect to the internet, download or upload anything.

A problem here is that, as long as your firewall is Enabled, your computer will be unable to reconnect to the VPN, let alone do anything at all on the internet (since this is what we ordered the firewall to do- forbid any connection unless it goes through the VPN). So in order to get back online you need to disable the firewall. Again, note that as soon as the firewall is disabled, whatever programs you are running, whatever you are doing with them on the internet- will LEAK you IP. It is not until you reconnect to your VPN, and then turn the firewall back on, that your real IP will be protected. So, should you VPN connection die, and your firewall block internet access -in order to stay anonymous, you must first turn off all programs that are attempting to connect to the internet, then reconnect to your VPN, then re-enable the firewall.

Some people may wish to specify these rules only for certain ports or programs rather than all access to the internet from/to any port and any program. As you may already have noticed, this is possible. When you add rules, to the right of the field where you enter your IP, there is a blank textfield where you can specify a port that the rule should apply for.

So for example, if you want to make sure that all your browsing is done anonymously, but let all other programs communicate freely, you must specify rules specifically for the port that your browser uses (in most cases, ONE of these ports is port nr 80- however be aware that any number of ports with any id nr can be used). Assuming that we know for sure that our browser only uses port nr 80, this is how we would do it:

1. Specify two new rules (again, using the Advanced tab, but now, you also need to select "Show extended actions". If you do, to the farthest left, you will now get a field where you can specify what rank the rule shall have):

Allow In Both (leave the rest blank)


Allow Out Both (leave the rest blank)

2. Specify two port-specific rule, e.g.

Allow In Both To (Your IP) (80)


Allow Out Both From (Your IP) (80)

3. Now, make sure that the last two rules have a HIGHER rank than the other two.

This should mean that the firewall will allow any program to do anything on the internet, except for all programs that communicate on port 80- they need an alive VPN connection in order to use the internet. Hence, should the VPN connection die, all other programs should function fine, and you should be able to reconnect to your VPN provider without having to turn off the firewall.

I hope that you will get this to work. Again, NOTE that I in no way guarantee that this will work, even if you succeed in performing all these steps and it seems like they do work. Your real IP may still leak, and it is up to you to decide whether to trust UFW and this solution or not. Everything you do on the internet is your own responsibility, not mine.