Implement basic kill switch functionality

[parfenovvs]

Summary

Add kill switch functionality to block all internet traffic when VPN connection drops, preventing IP leaks and maintaining privacy.

Problem

When VPN disconnects unexpectedly, traffic may route through the default interface, exposing the user's real IP address.

Proposed Solution

Kill Switch Features

• Automatic traffic blocking when VPN disconnects
• Configurable whitelist for essential services
• Manual enable/disable controls
• Integration with auto-reconnect functionality

Implementation Approaches

1. iptables-based (Linux standard)
2. WireGuard AllowedIPs restriction
3. Route table manipulation

Command Interface

# Enable kill switch for connection
mbvpn connect us-east-01 --kill-switch

# Configure kill switch settings
mbvpn killswitch enable
mbvpn killswitch disable
mbvpn killswitch status

# Whitelist specific IPs/domains
mbvpn killswitch whitelist add 8.8.8.8
mbvpn killswitch whitelist add api.malwarebytes.com

Configuration Options

# In ~/.config/mbvpn/config.yml
kill_switch:
  enabled: true
  mode: "strict"  # strict, balanced, permissive
  whitelist:
    - "8.8.8.8/32"          # DNS
    - "api.malwarebytes.com" # Backend API
    - "169.254.169.254/32"   # AWS metadata (if needed)

Security Considerations

• Prevent DNS leaks during connection transitions
• Handle IPv6 traffic appropriately
• Ensure local network access remains functional
• Graceful handling of system shutdown/restart

Implementation Details

• Require root/sudo for iptables modifications
• Store firewall rules for restoration
• Integrate with existing VPN lifecycle
• Add comprehensive logging for troubleshooting

Priority

🎯 Priority 1 (1-2 weeks)

Labels

• enhancement
• priority-1
• security
• networking
• privacy