Using Little Snitch to prevent internet access without VPN

There are a couple reasons why you would want to access the internet through a VPN: your work requires it, you regularly work from open Wifi networks, at hotels, coffee shops or libraries, and you want to prevent eavesdropping.

This article presents a simple technique that allows you to force internet access through a VPN when using unsafe networks. I will use Private Internet Access as an example, but this applies to any VPN connection, on any network.

TL;DR

• Modify rules in default profile to deny all connections.
• Create a "VPN" profile that allows all connections.
• Let "Automatic Profile Switching" do the rest.

Little Snitch

Little Snitch is a firewall that allows you to control connections from your computer to the internet. One of its greatest features, introduced in version 3, is "Automatic Profile Switching": the ability to automatically apply different rules depending on which network you're connected to.

We are going to use this feature to provide unrestricted access to the internet when connected to a VPN, and automatically cut off access as soon as we are disconnected (or before we are connected).

Step 1: Install Little Snitch

Go ahead and install Little Snitch.

Step 2: Stop the filter and switch to silent mode

Little Snitch has a tendency to be a bit verbose, and will pester you with questions as soon as any application attempts a connection, which can rapidly get annoying.

Fortunately, there is a "Silent Mode", which will automatically allow/deny any connection, and offer us some peace while we work on the configuration. So:

• Stop the network filter
• Set "Silent Mode" to "Deny"

Step 3: Delete all default rules

Little Snitch comes with a couple of default rules. They are mostly harmful, but if you are worried about your privacy, it can't hurt to be cautious. So let's start from an empty environment.

Open the "Rules" screen:

Delete or disable all the rules. You may get a few warnings, but just go ahead and do it anyway (you can always restore the factory defaults later).

I only keep 3 main rules:

• DNS
• Outgoing connections to local network
• Incoming connections (though it's safe to disable those as well)

When you are done, your rules should look like this:

Let's simplify the view a bit by hiding disabled rules:

Step 4: Create a new profile

First, we need to enable "Automatic Profile Switching":

Now, let's create our VPN profile:

Finally, we restart the network filter:

Turn Wifi on and off:

And now Little Snitch wants you to choose a profile. If this your home connection, you could choose the newly created VPN profile. If you are at an unsafe location, or if you simply prefer to have VPN activated at all times, select "Deactivate Active Profile":

Since the default rules do not explicitly allow any connection, and we have set "Silent Mode" to "Deny", we basically lost internet access:

That's what we wanted :) Let's now configure the VPN.

Step 5: Creating new rules

We succeeded in stopping access for all applications, but the truth is: the VPN itself needs access. So we need to create a few rules for that.

Try to start the connection:

At this time, the VPN won't be able to connect, but since we activated Silent Mode, the connection attempts will appear in Little Snitch and we can create new rules:

As soon as the rules are created, the VPN connection will succeed and you will be prompted with the familiar dialog. Choose "VPN & Safe Networks":

Finally, now that the association has been made between the VPN network and the VPN profile, we need to restore access to all applications. Go back to the rules window, and click "New". You will need to create 2 rules. One for all applications owned by you, and one for all system applications:

If all goes well, you now have full internet access:

Caveats

• I left access open for DNS. Depending on your VPN configuration and your needs, you may want to restrict that as well, and just allow access to the IP of your VPN server. It's up to you.

• The rules required to make your VPN work will of course depend on your VPN. It is usually pretty simple to figure out once you look at the connection attempts, but you may have to play with it a bit until you find the right set. You can double click any rule to adjust its parameters (expand it, restrict it).

• Some hotels/hotspots require that you accept their terms and conditions before getting access, in which case your VPN won't be able to connect. Because of this, I have a special rule to always allow access for Safari. I don't use it as a browser normally, but if the VPN fails and I'm on a free network, I just open it and try apple.com. If there is an authentication phase, I'll get redirected. Once I've accepted the terms and conditions, I'll get the full access and the VPN will be able to connect normally.

Conclusion

That's it! You're pretty much set :) Now, every time you connect to a new network, Little Snitch will ask you to choose a profile and you can either choose the safe one (for work and home), or deactivate the current profile and launch your VPN (for coffee shops, etc).

I hope this was helpful. Until next time, Cheers!

Design inspired by Now