Stop with the low effort comments and learn to read. You would do everybody, including yourself, a favor.

Just to be clear this is a killswitch, that’s what you want right? So that it’s only possible to connect through the VPN (tun0). And if the VPN goes down your internet gets “killed” so you don’t leak your IP.

In that case you want to start ufw when you system starts, so you would need to whitelist your VPN but if your VPN is already connected it should work without whitelisting the IP I guess but never tried it since that’s not recommended.

This is how I do it:

sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw allow out on tun0 from any to any

sudo ufw allow out to VPN_IP_ADDRESS proto udp

You have to do the last line for all your VPN server ips or the initial DNS request will not go through. If you connect through udp.

I agree, the described system seem unnecessarily complicated. Decsync exists exactly for that use case.

Here is the bug btw in case someone is interested: https://github.com/39aldo39/Radicale-DecSync/issues/33

I just realized this is not the exact setup I use. I use Radicale on the desktop but additionally Decsync. So I don’t need Radicale on my other devices, just a Decsync client.

With “mostly” in my case I was referring to the Radicale-Decsync plugin which works great but doesn’t seem to be actively maintained anymore. So there was an instance where Radicale changed something and the Decsync plugin didn’t work anymore. Was an easy fix but sadly that fix is still not available in the “official” Radicale-Decsync plugin which makes it hard for non technical users to use it, currently.

I am using this setup for years by now. Works great mostly.