macOS VPN kill switch

Making a Kill Switch for ProtonVPN on macOS with Little Snitch 4.0.3

(ProtonVPN’s macOS client is currently in closed beta.)

The ProtonVPN macOS app has an in-built kill switch. This alternative is a robust and highly configurable alternative that works across all network interface connections.

This is a step-by-step guide to create a Mac kill switch with Little Snitch 4 while using ProtonVPN’s macOS client.

ProtonVPN’s native client works by configuring, then adding, an IKEv2 profile to the system network settings.

If you found this guide helpful

Step One: Install Little Snitch 4.0.3

Little Snitch 4 is a network monitoring tool and research tool by Objective Development featuring ‘automatic profile switching’. This makes an effective kill switch between network interfaces.

  1. Disconnect from ProtonVPN.
  2. Install Little Snitch.


Step Two: Set default operation mode to ‘deny all connections’

All services and apps will be blocked unless specifically whitelisted.

  1. Open the Little Snitch menu
  2. Select ‘Silent Mode – Deny Connections’
  3. Do not connect to ProtonVPN yet.

Step Three: Disable all default rules

It is easier to disable everything upfront, then individually allow each process.

  1. Open Little Snitch’s configuration tool.
  2. Highlight all rules ( + a).
  3. Right-click and choose ‘Disable’.


Step Four: Enable required services/apps for ProtonVPN

Go through each rule and select the appropriate boxes for services and apps so ProtonVPN can successfully connect.

It’s probably a good idea to also allow access to/from our local network, however this is optional.

The following should be enabled:

  • Any Process, allow incoming connections from local network (there is two, optional)
  • Any Process, allow outgoing connections to local network (there is two, optional)
  • mDNSResponder (this allows DNS/address lookups)
  • neagent (this is the actual IKEv2 VPN service)
  • ProtonVPN (this configures the VPN profile)

The screen grab also shows Tor Browser as obfs4proxy.

Why Tor Browser is a good idea

Step Four (extended): Finding the neagent process

If finding the neagent process is difficult, just follow these simple steps.

  1. Open ‘Show Network Monitor’ from the Little Snitch menu bar.
  2. Open ProtonVPN macOS client and connect to any location.
  3. The neagent process has now jumped to the top of the Network Monitor list. Simply select the tick, making the process green.
  4. Disconnect from ProtonVPN before proceeding.


Step Five: Create a ‘new profile’ on Little Snitch

The automatic profile switching on Little Snitch automatically allows all services and apps to access the internet once the VPN is safely connected.

  1. Enter a name for the profile.
  2. Change the operation mode to ‘Silent Mode — Allow Connections’
  3. Click ‘Open Preferences’ then select ‘Enable automatic profile switching’.


Step Six: Marry the Little Snitch ProtonVPN profile to our VPN connection

Congratulations, Little Snitch is mostly configured! This is a good time to close the Little Snitch configuration and preferences screen.

Every time a new WiFi or VPN is connected/changed Little Snitch will ask which profile to use.

To change previous selections use ( + Shift + K) from the Configuration screen.

  1. Connect to your preferred location on ProtonVPN’s client.
  2. Once connected, highlight ‘Activate “ProtonVPN”‘ and select Choose.

Once disconnected, Little Snitch will ask whether we should change profiles.

This is the moment the kill switch happens so we want to choose ‘Deactivate Active Profile’.


Step Seven: Good job! You’re awesome!


Advanced Options 😲😏🤓

Little Snitch is a powerful utility to reveal what services/apps are accessing a network connection in real time. It also allows us to block/approve connections in real time.

This gives us more control of installed software. For instance, if I didn’t want Little Snitch to check for software updates, I could either disable it from Preferences or just block the service, both shown here: