Select Page
VPN Gateway With Dead Man Switch

VPN Gateway With Dead Man Switch

VPN Gateway Server with Dead Man Switch


Keep machines on your network safe with all internet traffic leaving using end to end encryption via AirVPN. A dead man switch ensures internet traffic can never be broadcast over your clear internet.

  • A VPN gateway that any client on your network can use.
  • Stop prying eyes seeing your internet activity.
  • Protect yourself on public networks.
  • Protect your net neutrality.

This guide is aimed at Raspberry Pis, but will work for any Debian based OS. E.g. Ubuntu 18.04 server, so just use what suits you. I’ve chosen a Raspberry Pi as it makes for a great low power client.

Technical Jargon


VPN stands for virtual private network. VPN secures your computer’s internet connection by ensuring all of the data being sent and recieved is encrypted and secure from prying eyes.

Click here for a full detailed description of VPN.


Domain Name System (DNS) translates easily rememberable names such as into addresses that a machine understands.

Click here for a full detailed description of DNS.

DNS Server

A DNS server is like a telephone directory, you ask for the address of a computer and it will tell you what the address is.

Click here for a full detailed description of DNS server.

DNS Leak

DNS leaking is when your requests are being sent to DNS servers that are not your designated ones (usually your VPN server). This means that while no one can read your encrypted traffic, they can see which addresses you are requesting. To ensure you stay as safe online as possible making sure your DNS does not leak is critical.

Click here for a full detailed description of DNS leak.

VPN Gateway

A computer that routes internet traffic from other computers via its VPN connection.


IPTables is a utility program that allows admins to define rules on how to treat packets of data.

Click here for a full detailed description of IPTables.


This guide assumes you have a fresh install of Raspbian on a headless server

This guide assumes you have a VPN client installed and configured on your device.

This guide assumes you have set a static IP for your device.

This guide assumes your network connection is called eth0.

Install Software

We only need to install two extra pieces of software (iptables-persistent & dnsmasq) to get the VPN Gateway working.

Type the following into the command line:

sudo apt install iptables-persistent dnsmasq -y

Select “<yes>” for both IPv4 and IPv6 rules and allow it to complete the installation.

Enable Forwarding

The Raspberry Pi is going to be setup to forward incoming requests from other clients to its VPN connection. By default this is not enabled or setup so we’re going to configure it now.

First ssh into your Raspberry Pi with a sudo enabled user.

Now we need to enable forwarding in the sysctl.conf file by removing the # at the start of line 28 “#net.ipv4.ip_forward=1”:

sudo nano /etc/sysctl.conf

Delete “#” infront of “net.ipv4.ip_forward=1” then press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Enable the forwarding service:

sudo sysctl -p

Update IPTables

Inorder to forward the incoming traffic correctly we need to make some changes to the IPTables on our Raspberry Pi. These updates will create a dead man switch so traffic from any client using our VPN Gateway can only exit it via its VPN connection. This means, if the VPN connection is lost, the clients will lose their internet.

Make sure to update the network interface name to match the one being used on the device. My network interface is called “eth0” for this example. If you were using a Raspberry Pi Zero W and using the WiFi connection, the interface name is wlan0. Use the command “ip -c a” to show all network interface information and confirm the name, as described in the guide set a static IP.

Paste the following into the command line to update the IPTables:

sudo iptables --flush
sudo iptables --delete-chain
sudo iptables -t nat -F
sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -I INPUT -i eth0 -m comment --comment "In from LAN" -j ACCEPT
sudo iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --dport 443 -m comment --comment "openvpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT
sudo iptables -P FORWARD DROP

The change we’ve made is only temporary. To make it permanent type:

sudo netfilter-persistent save

To ensure these rules are applied every time the device turns on type:

sudo systemctl enable netfilter-persistent

Now that we’ve enabled forwarding, we need to make an edit to the and files in /etc/openvpn to ensure client traffic is routed correctly.

Navigate to the OpenVPN directory:

cd /etc/openvpn


sudo nano

At the bottom of the file add:


Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Now update

sudo nano

At the bottom of the file add:


Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Finally reboot your Raspberry Pi to ensure the changes have been loaded

Client Configuration

Now the VPN Gateway is setup we need to configure a client to use it and do some final checks that everything is working as expected!

It’s as easy as changing two options to point at your VPN Gateway:

  • Default gateway
  • DNS server

Depending what operating system your client is using there are a number of different ways of achieving this. I’ll try to briefly outline the most common ones. I would recommend setting a static IP address for the clients and the below examples will assume that.

Raspberry Pi

The easiest option is to follow the static IP guide and use the VPN Gateway IP address for the static routes and static domain_name_servers.

Linux – Debian Based

If you are running a Debian based Linux distro, open the command line (or ssh into the client) and we’re going to update the static IP options to make sure it’s using our VPN Gateway.

sudo nano /etc/network/interfaces

Find the line “iface eth0 inet static” and just below that look for:

  • gateway
  • dns-nameservers

Now update both of them to be the VPN Gateway IP address.

Once updated save and exit and to be sure the change has stuck reboot the client.

Windows 10

Go to the search tool on the task bar and type “Network Settings” to open the network settings panel.

Once open find and click “Change Adaptor Options” to show all of your network adaptors. Locate the one you use to connect to the internet, right click it and select properties.

In the properties window double click “Internet Protocol Version 4 (TCP/IPv4)” to set a static IP address.

Fill in the boxes with the appropriate configuration, My VPN Gateway has an IP address of

Click OK to close the panels and Windows will take care of updating your settings.

Final Checks

Now we have updated our client to use the VPN Gateway for all of its internet traffic we need up run some checks and make sure everything is working as expected.

There are 3 checks we’ll be carrying out:

  • Can it see the outside world?
  • Does it have the correct external IP?
  • Is the DNS leaking?

We’ll run through two methods of checking these for if you have a command line only client, or one with a full desktop.

Command line

If like me your client is a headless server and you only have a command line we’ll go about making these checks as follows, in the command line type:

ping -c 4

You should see returns from google.

To check if you have the correct external IP type:

wget -qO-

The IP address shown should be the same as the VPN Gateway shows when you run the same command there.

Finally to check if the DNS is leaking we’ll use the same script we did when setting up the VPN Gateway.

There is a commandline tool that will check if our DNS is leaking. For more information on the script we’re going to use see the authors GitHub page.

First make sure all dependencies are installed:

sudo apt install curl jq -y

We’re going to download it to the opt folder:

cd /opt

Download using:

sudo wget

Let’s make it executable:

sudo chmod +x

To run the script from /opt use:


Or outside this folder use:


If everything is successful you should see something like the image below:

From a Web Browser

If you have a web browser on your client the checks are very quick and easy.

To see if you have access to the outside world let’s open up the browser and try navigating to your favourite site. e.g.

If you can see the site, great news! You’re connected to the internet.

Now lets have a look at our IP address, go to and you’ll be shown your current external IP address. This should be the same one you see on your VPN Gateway.

To see if our DNS is leaking lets going to and click “Standard Test”. Let it run and it should return the same DNS servers that your VPN Gateway returned when running the command line tool.

Check the Dead Man Switch

The final and possibly most immportant check is the dead man switch. Will the internet connection be terminated when the VPN connection drops?

This is easy to test, SSH into your VPN Gateway and stop the VPN client by typing:

sudo systemctl stop openvpn

Now back on your client machine try to access the internet. You shouldn’t be able to get any internet connection at all. If this is the case, hop back into the VPN Gateway and start the VPN client by typing:

sudo systemctl start openvpn


Congratulations! Assuming all of the checks passed with flying colours you have successfully created a VPN Gateway and are providing secure connection to the world to any clients that use it.

So what do we actually have in this setup?

  • A VPN Client that is not leaking its IP address or DNS.
  • A VPN Client that still has access to the internet when the VPN connection drops so regular maintenance and updates are simple.
  • A VPN Gateway with a dead man switch so no client traffic can accidentally go out via the regular internet connection.

Raspberry Pi Install Lidarr

Raspberry Pi Install Lidarr

Raspberry Pi – Install Lidarr


  • Install Lidarr.
  • Automatically manage your music.
  • Find new and missing albums.

Lidarr automates the finding, downloading, naming and organisation of Music libraries. It is designed to work in conjunction with a torrent client and media server. E.g. qBittorrent to download files and your choice of distribution software e.g. Plex Media Server to distribute the music to clients.

If you haven’t already, check out the guide to setup a secure torrent client before continuing with the install of Lidarr.

I do not in any way, shape or form condone or support the downloading of illegal or copyrighted material.

I use Lidarr to organise all of my legally purchased music, its tags, names etc and track which albums I’m missing. The Calendar view is great for seeing release dates of new albums from my favourite artists.

Technical Jargon


SSH stands for secure shell. SSH is an encrypted connection established between two computer programs. On the server side (the computer being connected to) a service is running that listens for another computer trying to contact it via SSH.

Click here for a full detailed description of SSH.


This guide assumes you have a fresh install of Raspbian on a headless server.

This guide assumes you either have a folder on the Raspberry Pi for your Music, or have setup a connection to your network share that contains all of your current Music.

If it is legal to download copyrighted music where you are and you wish to use Lidarr’s ability to tap into torrent RSS feeds, it’s assumed you have setup a secure torrent client.

Install Lidarr

Before we start we’re going to ensure the Raspberry Pi is up to date. Run the following commands to grab and install the latest packages:

sudo apt-get update

sudo apt-get upgrade -y

We want Lidarr to sit in the /opt directory so let’s cd into it:

cd: /opt

Now let’s grab the latest Lidar.tar.gz file. For me that is version, check to find out which is the latest for you:

sudo wget

Once it’s downloaded extract the package:

sudo tar -xzvf Lidarr.develop.

Create a Service

It is recommended to run Lidarr as its own user for security purposes. We’re going to use qbtuser to own the Lidarr install and run the service. This is to tie in with the user setup in the secure torrent client guide. Feel free to use any user you like. E.g. pi:

sudo chown -R qbtuser:qbtuser /opt/Lidarr

sudo chmod -R a=,a+X,u+rw,g+r /opt/Lidarr

We’re going to create a file under /etc/systemd/system that will tell the Raspberry Pi how to handle Lidarr and ensure it runs as a service:

sudo nano /lib/systemd/system/lidarr.service

Now that we’ve created the file, paste the following into it:

Description=Lidarr Daemon

ExecStart=/usr/bin/mono /opt/Lidarr/Lidarr.exe -nobrowser

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Start the Sonarr Service

If everything has gone to plan we can start the service.

Start the service for the first time with:

sudo systemctl start lidarr

Check it all Works

Now we’ve finished installing Lidarr and the service is running, lets check it all works by going to http:/ var DIVI = {"item_count":"%d Item","items_count":"%d Items"}; var et_builder_utils_params = {"condition":{"diviTheme":true,"extraTheme":false},"scrollLocations":["app","top"],"builderScrollLocations":{"desktop":"app","tablet":"app","phone":"app"},"onloadScrollLocation":"app","builderType":"fe"}; var et_frontend_scripts = {"builderCssContainerPrefix":"#et-boc","builderCssLayoutPrefix":"#et-boc .et-l"}; var et_pb_custom = {"ajaxurl":"https:\/\/\/wp-admin\/admin-ajax.php","images_uri":"https:\/\/\/wp-content\/themes\/Divi\/images","builder_images_uri":"https:\/\/\/wp-content\/themes\/Divi\/includes\/builder\/images","et_frontend_nonce":"d181019499","subscription_failed":"Please, check the fields below to make sure you entered the correct information.","et_ab_log_nonce":"fe2b788186","fill_message":"Please, fill in the following fields:","contact_error_message":"Please, fix the following errors:","invalid":"Invalid email","captcha":"Captcha","prev":"Prev","previous":"Previous","next":"Next","wrong_captcha":"You entered the wrong number in captcha.","wrong_checkbox":"Checkbox","ignore_waypoints":"no","is_divi_theme_used":"1","widget_search_selector":".widget_search","ab_tests":[],"is_ab_testing_active":"","page_id":"591","unique_test_id":"","ab_bounce_rate":"5","is_cache_plugin_active":"yes","is_shortcode_tracking":"","tinymce_uri":"https:\/\/\/wp-content\/themes\/Divi\/includes\/builder\/frontend-builder\/assets\/vendors","waypoints_options":[]}; var et_pb_box_shadow_elements = [];