Posted: Fri Mar 20, 2015 18:07 Post subject: VPN Kill switch
Hello,
i'm using openvpn on a e4200 running the latest kong firmware. I recently realized my vpn provider doesn't have a built in kill switch. Is there anything i can do on the router side that can cut internet connection if the openvpn connection goes down?
I find this to be a little "friendlier", and even more dependable.
Code:
if [ "$(nvram get wan_proto)" == "pppoe" ]; then
WAN_IF="$(nvram get pppoe_ifname)"
elif [ "$(nvram get wan_proto)" == "pptp" ]; then
WAN_IF="$(nvram get pptp_ifname)"
else
WAN_IF="$(nvram get wan_ifname)"
fi
I think I can follow what is going on, but can you explain a little more why this is better, and what it's doing? _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
I find this to be a little "friendlier", and even more dependable.
Code:
if [ "$(nvram get wan_proto)" == "pppoe" ]; then
WAN_IF="$(nvram get pppoe_ifname)"
elif [ "$(nvram get wan_proto)" == "pptp" ]; then
WAN_IF="$(nvram get pptp_ifname)"
else
WAN_IF="$(nvram get wan_ifname)"
fi
Wow thank you all for the responses. So just to confirm the above code will take my router offline or block internet access if my vpn even goes down?? Is that correct?
So do i have to alter anything in the above code? replace certain text with my specific info?
Also sorry for the noob questions.. where do i copy and paste this?
As I thought about it a little more, even this could be improved. As currently constructed, it would also block remote access users (i.e., port forwards). And that's because even their replies would be blocked! So in order to accommodate them, you could qualify the rules w/ state information.
Code:
if [ "$(nvram get wan_proto)" == "pppoe" ]; then
WAN_IF="$(nvram get pppoe_ifname)"
elif [ "$(nvram get wan_proto)" == "pptp" ]; then
WAN_IF="$(nvram get pptp_ifname)"
else
WAN_IF="$(nvram get wan_ifname)"
fi
iptables -I FORWARD -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -o $WAN_IF -p tcp -m state --state NEW -j REJECT --reject-with tcp-reset
So now the only thing being blocked is anyone trying to INITIATE an outbound connection over the WAN. Any new or existing inbound connections by remote users remain unaffected since their replies will NOT be in the NEW state, but ESTABLISHED state.
You could still have issues w/ routing to the targets of those port forwards if they were being routed over the VPN by default rather than the WAN, but that’s a different issue/problem altogether.
Obviously this isn’t an issue if you don't have port forwarding enabled. But it's probably a better approach in the long run in case some time in the future you do (or otherwise you may be puzzled why it's not working).
This is very useful.thanks!
Hi eibgrad, Can I hijack this thread a little bit, as I think it is relevant, and could be helpful to other users as well. If I assign LAN port 3 and 4 to a different vlan (let's say vlan3), and have this bind to new and different bridge, br1, with its own DHCP of 192.168.2.1/255.255.255.0, what kine of script would I need to isolate these bridges (default is br0 with vlan2, 192.168.1.1/255.255.255.0) from cross talking and with only one of the two bridges going through the openvpn tunnel. Or everything goes through the tunnel except br1?
Posted: Wed May 20, 2015 8:35 Post subject: Hello eibgrad
Hello eibgrad
This is just what i was looking for. However, i just wanted to know, if i could use your code, in my dd-wrt router, which acts as a 2nd router in my home? My first router is a D-link router, with standard software.
I hope you understand my question, and again thanks for taking your time to help us
if [ "$(nvram get wan_proto)" == "pppoe" ]; then
WAN_IF="$(nvram get pppoe_ifname)"
elif [ "$(nvram get wan_proto)" == "pptp" ]; then
WAN_IF="$(nvram get pptp_ifname)"
else
WAN_IF="$(nvram get wan_ifname)"
fi
iptables -I FORWARD -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -o $WAN_IF -p tcp -m state --state NEW -j REJECT --reject-with tcp-reset
Just to be clear, I would paste this code into the GUI at Administration > Commands > Command Shell
Then I would click "save firewall"
Is that right?
In order for this to work correctly, I believe these lines need to be the last line appended to the existing iptables rules. Correct?
For OPenVPN Client setups with KongAC Builds 26160(or greater) I haven't used the script. Whenever my OpenVPN Client is disconnected I have no Internet connection.
For testing make a change to your OpenVPN Client so you don't connect to the server and you shouldn't have any Internet connection. _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
For OPenVPN Client setups with KongAC Builds 26160(or greater) I haven't used the script. Whenever my OpenVPN Client is disconnected I have no Internet connection.
For testing make a change to your OpenVPN Client so you don't connect to the server and you shouldn't have any Internet connection.
I'll test this as soon as I get back tonight. Thanks!
For OPenVPN Client setups with KongAC Builds 26160(or greater) I haven't used the script. Whenever my OpenVPN Client is disconnected I have no Internet connection.
For testing make a change to your OpenVPN Client so you don't connect to the server and you shouldn't have any Internet connection.
Yes, that's what I'm seeing too. Thanks for pointing that out. The kill switch seems to be built in.
BTW, does anyone know what this nvram variable does?
Posted: Fri Nov 27, 2015 19:52 Post subject: Policy based routing
I found this thread useful and I'm posting a few things I had to figure out to get the kill switch in a DD-WRT based router to work correctly with policy based routing. I'm using a kongac build greater than 26160 and the kill switch is not automatic, at least with policy based routing in place.
For those not familiar with policy based routing it allows some IP's to use the VPN and others not use the VPN. This can be useful if you have a web server or VoIP phone that you don't want to use the VPN. I add the following commands to the policy based routing section of the openVPN client setup.
192.168.1.64/26
192.168.1.128/26
192.168.1.192/26
This puts anything with an IP greater than 64 on the VPN and anything with an IP less than 64 on the local inet connection. DHCP server gives out IP's greater than 64 and static IP's are assigned to the devices that won't be on the VPN
One thing I found is that iptables had to be fully pathed to work correctly in the start-up. ( Administration -> Commands -> Startup ) I added the following to put a 'kill switch' on anything using the VPN. IF the VPN dies the devices can't connect to the internet but the devices like the VoIP phone will still work.
/usr/sbin/iptables -I FORWARD -s 192.168.1.64/26 -o $(nvram get wan_iface) -j DROP
/usr/sbin/iptables -I FORWARD -s 192.168.1.128/26 -o $(nvram get wan_iface) -j DROP
/usr/sbin/iptables -I FORWARD -s 192.168.1.192/26 -o $(nvram get wan_iface) -j DROP
I found the iptables commands would work from the command line but not the start-up if the full path to the iptables was not used.
You can check if the policy is in place by doing a iptables -L from the command line and look for the following
Posted: Fri Jan 15, 2016 16:05 Post subject: Re: Policy based routing
linuxloon wrote:
One thing I found is that iptables had to be fully pathed to work correctly in the start-up. ( Administration -> Commands -> Startup ) I added the following to put a 'kill switch' on anything using the VPN. IF the VPN dies the devices can't connect to the internet but the devices like the VoIP phone will still work.
/usr/sbin/iptables -I FORWARD -s 192.168.1.64/26 -o $(nvram get wan_iface) -j DROP
/usr/sbin/iptables -I FORWARD -s 192.168.1.128/26 -o $(nvram get wan_iface) -j DROP
/usr/sbin/iptables -I FORWARD -s 192.168.1.192/26 -o $(nvram get wan_iface) -j DROP
I found the iptables commands would work from the command line but not the start-up if the full path to the iptables was not used.
You can check if the policy is in place by doing a iptables -L from the command line and look for the following
DROP 0 -- 192.168.1.192/26 anywhere
DROP 0 -- 192.168.1.128/26 anywhere
DROP 0 -- 192.168.1.64/26 anywhere
Now all I need to do is find a way to reliable restart the VPN from cron. I'm finding the VPN dies after a few days.
I'm unclear here. I'm using the Nighthawk R7000 with the latest DD-WRT (Kong) 28600.
You added the below to the startup, and was instructed to add them to the firewall. Is adding the commands to the startup better, or preferred, and why?
Code:
/usr/sbin/iptables -I FORWARD -s 192.168.1.64/26 -o $(nvram get wan_iface) -j DROP
/usr/sbin/iptables -I FORWARD -s 192.168.1.128/26 -o $(nvram get wan_iface) -j DROP
/usr/sbin/iptables -I FORWARD -s 192.168.1.192/26 -o $(nvram get wan_iface) -j DROP
Running the iptables -L does show the below.
Code:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
DROP 0 -- 192.168.1.5 anywhere
DROP 0 -- 192.168.1.4 anywhere
DROP 0 -- 192.168.1.3 anywhere
DROP 0 -- 192.168.1.2 anywhere