On macOS/iOS you can configure the built-in VPN clients to use "on-demand" mode, which wont allow traffic before the VPN connection is established.

The only way to configure this however is using the Apple Configurator tool and create a custom profile.

I run this for my OpenBSD IKEv2 servers which gives me automatic on-demand VPN on cellular and all non-known Wi-Fi networks (== not home).

Algo (another commenter mentioned it[1]) allows you to set this up to be the default for the VPN, very nice feature. I use it on my phone since I often connect to random wifi APs. More and more of the web is moving to HTTPS but a disturbing amount of unencrypted traffic abounds.

[1] https://news.ycombinator.com/item?id=19242119

Yep, Algo uses the same approach. It's generating device configuration profiles with the necessary settings. I'm generating mine in the same way but slightly different to allow toggling Ethernet and to support the OpenIKED ciphers etc.

> The only way to configure this however is using the Apple Configurator tool and create a custom profile.

'Activate on demand' is just a checkbox in WireGuard app settings on iOS, so apparently it's only the built-in VPN types that need Apple Configurator. Since IPSEC/IKEv2 are overengineered and L2TP is outdated, you're better off using wg anyway.

Nord has a feature they call kill-switch that does this.

macOS and iOS call this "Connect on Demand." I'm not sure about other systems, but it should be possible.