networking – Using a pf firewall to secure an OpenVPN connection

I’m experimenting with OpenVPN on my Macbook and am attempting to limit my outward network traffic to just the tun interface created by OpenVPN. With the pf firewall disabled I’m able to connect to my server and access the internet just fine.

Upon checking the log of OpenVPN, I find out the interface ‘utun4’ is being used. Therefore, I attempted adding the following lines to the end of my ‘pf.conf’:

anchor ""
load anchor "" from "/etc/pf.anchors/"

Then to ‘’:

block out all
pass out on utun4 from any to any

I then use ‘pfctl ‘f /etc/pf.conf’ and ‘pfctl -e’ after my OpenVPN connection has already been established.

From my understanding, this should stop outward traffic on all other network interfaces apart from my ‘utun4’ one. What I find is however that I can’t access the internet, and only when adding pass out on en0 from any to any to my ‘’ can I regain the connection without having the firewall off.

This is counterproductive though, as if my VPN connection drops- everything still passes through ‘en0’, but the reason I am trying to configure pf in this way is so that I can limit the traffic to the ‘utun4’ interface so that my internet connection gets cut off when the VPN connection is lost.

When checking answers to posts like this it seems like it should be working. Is there anything else I should be checking that could be stopping me from getting my desired result?