If you have used a VPN for any amount of time, you know that there is a time between connecting to a Wi-Fi network and connecting to the VPN. During this time, your computer will send traffic over the Wi-Fi network where attackers or other malicious users may have man-in-the-middle. This is worrisome since it is up to App developers to "validate" their TLS connection. A review of dozens of iOS Apps show developers fail to validate certificates. While this research was done for iOS Apps, there is no reason to believe that the same problem doesn't exist on MacOS. Also, modern OSes have become very chatty: upgrading Twitter in the background, sending analytics data, and other unnecessary things.
A while back Tom Robinson posted the following on twitter:
Is there a Mac / iOS VPN client as good as Cloak but works with a standard VPN server?— tom robinson (@tlrobinson) December 6, 2016
to which I responded:
ProXPN does provide a means of preventing applications from talking over the network in case the VPN disconnects. However, some applications have daemon processes that run but aren't necessarily associated with the same application name. I don't think this is a complete solution.
Tiny Hardware Firewall is an awesome little tool that connects to an access-point, then creates a VPN connection and proceeds to send data over the VPN. The problem? You have to use their VPN and have yet another thing to carry around.
After exploring these options, I started looking around for a better solution. Then I found out that
Little Snitch offers Automatic Profile Switching.
From their blog post:
When you join a Wi-Fi network, plug in an Ethernet cable, or connect to a VPN, it basically does what it says on the box: it automatically switches to a certain profile.
Effective in all profiles exists. It will contain default rules that the creators of Little Snitch thought necessary for smooth operations of the operating system. I recommend leaving it there!
or if you want to disable some of the times
In my case, I had to white list my applications as they came up. This is going to be specific for you, so don't worry about copying it.
But most importantly, you have to create an environment where nothing can leave your machine except the bare minimum to establish a VPN connection. For me that looks like:
From there, every time you connect to a new network, you will be asked to select a profile for that network.
Alternativly, you can default to
Assume the following:
For the first time connect to
Starbucks Wifi and select
VPNof choice and
Now, if for some reason,
Starbucks WiFi kicks you off-line causing the VPN to disconnect, upon reconnecting to
Starbucks Wifi all of your traffic will not leave your computer. Pritunl attempts to reconnect after a connection failure which will cause Little Snitch to automatically switch profiles to trusted; thus allowing traffic to egress.