Protection in case of VPN disconnect

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
JakeGreen
DD-WRT Novice


Joined: 27 Apr 2014
Posts: 1
PostPosted: Sun Apr 27, 2014 19:23    Post subject: Protection in case of VPN disconnect Reply with quote
Hi,

Im using an ASUS RT-AC66U router configured for Private Internet Access (PIA) with the latest Kong build. Everything is working fine (albeit a bit slow compared to the Windows client), but I'd like to know if there is a way to configure the router to ONLY allow internet traffic through the VPN in the event of a VPN disconnect.

Currently, if the router loses connection to the PIA service (or doesn't connect at startup), my true IP address is exposed. And the only way to know this is by manually checking my IP address. The PIA Windows client has a "kill switch" feature that will cut all internet traffic if the connection to PIA is lost.

Can something like this be configured when connected to a VPN service through a dd-wrt configured router?
Back to top View user's profile Send private message
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6870
Location: Romerike, Norway
PostPosted: Mon Apr 28, 2014 20:12    Post subject: Reply with quote
Disable NAT LAN->WAN.
Back to top View user's profile Send private message
avpman
DD-WRT Novice


Joined: 05 Sep 2008
Posts: 32
PostPosted: Tue Apr 29, 2014 12:34    Post subject: Reply with quote
Per Yngve Berg wrote:
Disable NAT LAN->WAN.


Hi,
I looked everywhere (well obviously not in the right place,) but where is this setting located in the DD-WRT menus? Also, what exactly will this do?

Thank you for your contributions!
Back to top View user's profile Send private message
dramos126
DD-WRT Novice


Joined: 17 Oct 2012
Posts: 12
Location: United States
PostPosted: Tue Sep 09, 2014 21:48    Post subject: Reply with quote
I was actually looking for this as well.

My current set up is
Modem >Linksys Home Router >Buffalo PPTP VPN Client(DDWRT)

I want to make sure whenever the VPN disconnects traffic is stopped and my IP is not left exposed.

If I understand correctly, which I probably am not (lol new at this), disabling NAT on my Buffalo router should keep me covered?
Back to top View user's profile Send private message AIM Address
B3hdad
DD-WRT Novice


Joined: 24 Dec 2014
Posts: 42
PostPosted: Tue Dec 30, 2014 14:08    Post subject: Reply with quote
I wanted to do something similar...only on one router.
Please see this post as it might help:

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=940712#940712

All I did was specified the IP of devices that need to access VPN in the policy based routing under the VPN tab.

Then on the firewall used the following rule to drop packets
if VPN is not connected:

iptables -I FORWARD -s <ip-address> -o $(nvram get wan_iface) -j DROP

I think this is the kill switch isn't it?
Back to top View user's profile Send private message
jams775
DD-WRT Novice


Joined: 02 Jun 2013
Posts: 7
PostPosted: Fri Feb 13, 2015 16:54    Post subject: Reply with quote
B3hdad wrote:
I wanted to do something similar...only on one router.
Please see this post as it might help:

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=940712#940712

All I did was specified the IP of devices that need to access VPN in the policy based routing under the VPN tab.

Then on the firewall used the following rule to drop packets
if VPN is not connected:

iptables -I FORWARD -s <ip-address> -o $(nvram get wan_iface) -j DROP

I think this is the kill switch isn't it?


I'm trying to do the same thing and I'm wondering; what exactly do you put under the "Policy Based Routing" part of the VPN section? Do you just enter the IP or a command? and is the <ip-address> part the local lan ip (like 192.168.1.1?) or wan? I'm completely new to this so any extra help would be great.
Back to top View user's profile Send private message
B3hdad
DD-WRT Novice


Joined: 24 Dec 2014
Posts: 42
PostPosted: Fri Feb 13, 2015 22:46    Post subject: Reply with quote
Under the "Policy Based Routing" section you only specify the internal IP addresses and there is no need for a command. So for me I added the following couple of lines to say I want these devices to go through VPN:

192.168.1.1
192.168.1.2

You could also use a format like xxx.xxx.xxx.xxx/yy but it is probably easier for home users to specify the IPs individually.

As for <ip-address>, it refers to the internal IP address again. So for example, from the above two machines that go through VPN if I want to make sure that the first one doesn't connect to internet if VPN is unavailable I do:

iptables -I FORWARD -s 192.168.1.1 -o $(nvram get wan_iface) -j DROP

HTH.
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum