Always-on / Killswitch: route all traffic over tor

As a MVP goal for TorVPN, we want to route all traffic from the device over Tor, this means no leaks from traffic being sent in the clear.

The kill switch feature for TorVPN is critical for preventing unexpected traffic leaks when tor is unreachable, especially because tor circuits can be unreliable at times. When the Tor connection drops out, the traffic from the device should not be leaking. The kill switch concept ensures that the network cannot be reached if the VPN process is disconnected or killed. Apps on the device should not be able to bypass the VPN when its enabled, even when it is not connected yet, or temporarily disconnected.

killswitch is what the vpn companies sometimes call the feature. apple calls the settings feature that supports that functionality “On Demand”. i think android calls it “Always On” (APIv29 android 10).

This would satisfy the User-facing Security Promise Statement from the threat modeling working group.

Initially, for the MVP, this could just block all traffic. Future improvements could include:

• optional app overrides RFC1918 overrides (for advanced users who are aware of the risks, perhaps tied to network connection name)
• when VPN is disabled, it should warn users to close sensitive apps first