Posted: Fri Dec 08, 2023 12:24 Post subject: [SOLVED] Questions about always on VPN client
Hi,
I'm using dd-wrt 54420.
If I set a wireguard VPN client does checking the 'kill switch' enough to prevent any connections outside the vpn tunnel or are some firewall rules needed?
What about openVPN? I haven't seen any kill switch option there.
(My goal is to prevent any device connected to the router to leak my ISP IP, if the VPN is down not to fallback to my ISP connection.)
My old VPN provider on an old DD-WRT version said to add the following as a startup script:
route add -host WG_HOSTNAME gw DEF_GW dev DEF_IFACE
route del default
route add default dev oet1
iptables -t nat -I POSTROUTING -o oet1 -j MASQUERADE
iptables -I FORWARD -i br0 -o DEF_IFACE -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o DEF_IFACE -m state --state NEW -j REJECT --reject-with tcp-reset
Joined: 18 Mar 2014 Posts: 12923 Location: Netherlands
Posted: Fri Dec 08, 2023 13:15 Post subject: Re: Questions about always on VPN client
tpqnew wrote:
Hi,
If I set a wireguard VPN client does checking the 'kill switch' enough to prevent any connections outside the vpn tunnel or are some firewall rules needed?
Why not consult the manual page 12?
tpqnew wrote:
What about openVPN? I haven't seen any kill switch option there.
turns out my very old ddwrt version does not have the kill switch option for the openVPN.
Would the following firewall rule be enough as a kill switch alternative:
iptables -I forward -i br0 -o `nvram get wan_iface` -J REJECT
sorry, just checked and get_wanface returns 'vlan' while nvram get wan_iface returns 'vlan2'.
If I check ip route , default route is named vlan2.
which one is correct?
Download https://ftp.dd-wrt.com/dd-wrtv2/downloads/betas/2023/12-07-2023-r54475/tplink_tl-wr1043nd/tl-wr1043nd-webflash.bin
Enable ssh (which enables scp) and use WinSCP or similar method to transfer the file to /tmp on your router and issue a 'write tl-wr1043nd-webflash.bin linux' (from /tmp dir) and after that finishes, issue 'reboot'. There is NO reason for the upgrade to fail, as reiterated more than once in the second thread. I have a v1.8 that is on the current release and have had zero issues upgrading DD-WRT. There is something more to this picture than you are sharing. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
I've tried that multiple times, it says upgrade successful, but after reboot it stays on the same old version.
I've bricked my other tp-link 1043 v2 a week ago... its last words were 'update successful'. tried all the resets and tftp methods i could find, but nothing worked.
so, maybe there is NO reason for the upgrade to fail... but it still does sometimes
until I'll get a newer router, this one will have to do I guess.
Tangent reply regarding upgrade issue continued in "Unable to upgrade tplink 1043 to a newer version" so as not to further litter this thread with off-topic discussion. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio