[Unit]
Description=VPN Killswitch - Permanent Network Protection
Documentation=https://github.com/yourusername/vpn-gateway
DefaultDependencies=no
Before=network-pre.target
Wants=network-pre.target

# This service MUST start before networking
After=local-fs.target

[Service]
Type=oneshot
RemainAfterExit=yes

# Execute killswitch enable
ExecStart=/usr/local/bin/vpn-killswitch.sh enable

# On reload, restart the killswitch
ExecReload=/usr/local/bin/vpn-killswitch.sh restart

# On stop, we still keep killswitch active for security
ExecStop=/bin/echo "Killswitch remains active for security"

# Logging
StandardOutput=journal
StandardError=journal

# Security
User=root
Group=root

# We want this to always succeed
SuccessExitStatus=0 1

[Install]
# Critical: Start at earliest possible stage
WantedBy=sysinit.target
RequiredBy=network.target