[mercury187]

Hello, I wish to use a dd-wrt router as a VPN client device (not as my main router). I found instructions for how to set it up as OpenVPN client however I'm wondering if there are any options anywhere to only allow connected computers behind the VPN client to the internet ONLY if the VPN is connected. In other words if the VPN connection drops, is it possible to deny internet access to those computers connected to the dd-wrt ?

[egc]

Yes that is called a kill switch.
You specify that it is not your main router as you do not specify your network topology and/or if you are using Policy Based Routing, you might need another kill switch but the basic kill switch, which you can add to the firewall (Administration/Commands, save firewall) is:

[mercury187]

Sorry about that here are the topologies:
VPN server topology: comcast cable modem/router combo with DD-wrt device connected running as VPN server. Will need to figure out what ports to map.

VPN client topology: edge router x with dd-wrt device connected running as VPN client. Not sure if port forwarding is required here since it is just a client.

I will have a couple of PC's connected to the vpn client dd-wrt and I wish them to have access to nothing on the edge router side if the VPN is up or down. I figure if the DD-wrt is connected to VPN then all traffic should go through the VPN and not access the edge router and devices there and if the VPN goes down for any reason then those devices should have access to nothing. I am fine if they remain offline until i can manually bring the link back up.

Also, i'm pretty new to dd-wrt, where do I paste in that code and do I paste it in as 2 lines or 1 long line?

[egc]

I assume it is the WAN port from the DDWRT router you have linked to the edge router so this kill switch should be good.

Just copy and paste it (two lines) and place it in the window on the Administration/commands page and then click save firewall.
See the article of @sploit (he uses a slightly different kill switch wich also works if your subnet is 192.168.x.x)

https://sploitworks.com/bbs/showthread.php?tid=24

[mercury187]

Ok, I will connect WAN port of DD-wrt to edge router.

[mercury187]

Hmm, your code worked on my vpn client router however I can't see to get the client router to connect to the openvpn server router.

Topology is this for the server:
linksys router with 192.168.1.0 ip scheme with the dd-wrt server router connected to the linksys router. Linksys has ip 192.168.1.1 and dd-wrt has 192.168.1.2 however I have one of the regular ports connected to the linksys.

I configured the openvpn server using this: https://www.sparklabs.com/support/kb/article/setting-up-an-openvpn-server-with-dd-wrt-and-viscosity/#top

and then on the linksys I port forwarded 1194 to 192.168.1.2 however I'm wondering if the wan port on the ddwrt is what needs to be connected to the linksys?

The client side network topology:
Another linksys router with 192.168.200.0 ip scheme with the ddwrt client router connected to the linksys. Linksys has ip 192.168.200.1 and the ddwrt has ip 192.168.49.1 (I kept them seperate so I would know where my dhcp is coming from). I have the wan port connected to the linksys and then clients to the regular ports.

I configured the client ddwrt by filling in the public ip for the server linksys and then i edited all the certificate related stuff from the sparklabs steps that I saved in the "client" folder so i was able to read the data and paste it into the fields.

I was able to access the 192.168.200.0 IPs so I pasted your firewall code into the client ddwrt and that stopped the access which is good however I can't seem to get the VPN working and the status>openvpn page on both ddwrt is blank so I'm not sure if anything is working or running or what. Any chance you could help me there? I'm wondering if I should have just gone with pptp maybe that would be easier? I'm also wondering if it will work this way where the ddwrt routers are not the actual internet routers and just acting like dedicated vpn devices..?

[mercury187]

Using the link I provided to create the certificates and then Boogalooz guide for everything else I was able to get my dd-wrt working behind my main router and then I tethered my laptop to my phone and connected to the dd-wrt successfully with openvpn windows software. HOWEVER, when I went to whatismyip.com I had a cell phone carrier IP address and not a home isp public IP. Would this be a setting in the client side or the openvpn server side? All my screens look like the ones in Boogalooz guide.

Tomorrow I will be working on getting another dd-wrt set up as openvpn client and the ultimate end goal would be to have any PC/device attached to the client dd-wrt to have no internet or local network access until the VPN is connected and then only allow access to the openvpn server network resources/public IP.

[egc]

Regarding the Open VPN server it seems you have set this up this WAP, that is OK and yes you then you have to port forward
See: https://www.dd-wrt.com/wiki/index.php/Wireless_Access_Point

This is also described in the guide you mentioned by @Boogalooz

Be sure to choose en IP subnet for the OpnVPN server which is different from all the others @Boogalooz uses 192.168.10.0, that should be allright for you also

When everything works and you connect to the openVPN server then whatsmyipaddress.com should show the public IP addres of your home

[mercury187]

[mercury187]

Let's try this again:

I have setup a dd-wrt router as an OpenVPN server behind my main router and using port forwarding I can forward the port for the server. I followed some steps online to use cygwin to generate all the certificates and I can connect with a laptop when I tether it to my phone so the stuff for openvpn seem correct. I can even ping stuff on the openvpn server network from the laptop.

Here is the network diagram and openvpn settings and the dd-wrt settings: https://imgur.com/a/C3koz

Ip route: http://prntscr.com/h7mk3a

Can provide any other screenshots as needed.


The first problem is when I do a whatismyip.com my internet traffic is still going straight out to the web from my phone, what I need to happen is to have all internet traffic use the wan IP of the openvpn server network and be able to access stuff on the openvpn server network. It does not matter if openvpn server network can access the client network.


Basically the goal is to make it look like the stuff on the client network is physically on the openvpn server network, computers should ping out and internet traffic should go out from that public ip. In my diagram computer 192.168.200.100 should then have a wan ip of 72.x.x.x and never 162.x.x.x


Currently I am waiting on the second client dd-wrt router (may just try and use pfsense, I tested it earlier and it does connect but something is wrong because no traffic will reach the openvpn server network private or public) so for right now I am just testing with openvpn client on a laptop tethered to my phone so I can make changes and test right away before deploying the hardware client.


Does anyone know what I need to do to fix this?

Someone who does not use dd-wrt provided this to me, maybe someone knows how to accomplish it:
yeah, so you need to have a route to your VPN endpoint over that interface
so that your VPN always works
but then you need to have everything else *traverse* the VPN
right now your default route is via br0
that has to change to be over your vpn
0.0.0.0/0 (default) means if you don't have a better route, send stuff here
in your case, it means send stuff to the internet via br0 (192.168.1.1)
but you don't want that, you want stuff to the internet to be sent via tun2
so you need your *default* route (0.0.0.0/0) to be via tun2
but the route to your VPN provider to still be via br0