vpn-kill-switch is both an executable binary that can be run, and a library that can be used in Rust programs.

Installing the `killswitch` executable

Assuming you have Rust/Cargo installed, run this command in a terminal:

cargo install vpn-kill-switch

It will make the killswitch command available in your PATH if you've allowed the PATH to be modified when installing Rust. cargo uninstall vpn-kill-switch uninstalls.

Adding `killswitch` library as a dependency

Run this command in a terminal, in your project's directory:

cargo add vpn-kill-switch

To add it manually, edit your project's Cargo.toml file and add to the [dependencies] section:

vpn-kill-switch = "0.8.2"

The killswitch library will be automatically available globally. Read the killswitch library documentation.

Back to the crate overview.

Readme

killswitch

VPN kill switch for macOS. Blocks all outgoing traffic when the VPN connection drops, preventing your real IP from leaking.

How it works

When enabled, killswitch loads pf firewall rules that only allow traffic through the VPN tunnel. If the VPN disconnects, the tunnel interface disappears but the firewall rules remain — blocking all internet traffic until the VPN reconnects or the kill switch is disabled.

Rules are written to /tmp/killswitch.pf.conf and loaded with pfctl. The system default /etc/pf.conf is never modified.

Usage

Show network interfaces, public IP, and detected VPN peer:

$ killswitch

Enable the kill switch (requires root):

$ sudo killswitch -e

Disable and restore default firewall rules:

$ sudo killswitch -d

Print the firewall rules without applying them:

$ killswitch --print

Options

Flag	Description
`--leak`	Allow ICMP (ping) and DNS requests outside the VPN
`--local`	Allow local network traffic
`--ipv4 <IP>`	Manually specify the VPN peer IP (auto-detected if omitted)
`-v`, `-vv`	Verbose / debug output

Examples

Enable with DNS leak and local network access:

$ sudo killswitch -e --leak --local

Specify the VPN peer IP manually:

$ sudo killswitch -e --ipv4 203.0.113.1

Preview rules in debug mode:

$ killswitch --print --leak -vv

VPN detection

The VPN gateway IP is auto-detected using multiple methods (in order):

sysctl — reads the kernel routing table directly
netstat — parses routes with UGSH/UGSc flags
scutil — queries macOS Network Extension services (works with WireGuard, ProtonVPN, etc.)
ifconfig — extracts peer addresses from tunnel interfaces

If auto-detection fails, use --ipv4 to specify the VPN peer IP manually.

Build from source

Requires Rust:

$ cargo build --release
$ sudo cp target/release/killswitch /usr/local/bin/

Development

$ just test       # format check + clippy + tests
$ just fmt        # check formatting
$ just clippy     # lint all targets

Installing the killswitch executable

Adding killswitch library as a dependency

Installing the `killswitch` executable

Adding `killswitch` library as a dependency