DD-WRT v3.0 NetGear R7000 with OpenVPN. Setup a killswitch?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
ernosernos
DD-WRT Novice


Joined: 15 May 2019
Posts: 3

PostPosted: Wed May 15, 2019 11:01    Post subject: DD-WRT v3.0 NetGear R7000 with OpenVPN. Setup a killswitch? Reply with quote
Is it possible to setup a killswitch (so that my internet goes completely down when the openvpn fails to connect to the VPN server) with the above setup?

If so, how? Can anyone point me in the correct direction?

Thanks, best regards,
Ernosernos[/i]

Edit: I'm a total noob when it comes to OpenVPN and DD-WRT but fairly good with internet security and an expert in Linux, if that helps you tailor your answer to me hehehe.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3260
Location: Netherlands

PostPosted: Wed May 15, 2019 11:53    Post subject: Reply with quote
You use an iptables rule to block traffic going out of the WAN:
Code:
iptables -I FORWARD -i br0 -o $(nvram get wan_iface)-j REJECT


In Administration/Commands save as Firewall

There are several kill switches circulating which all do more or less the same.

_________________
Routers: Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Patched SFE module to work with PBR: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318895
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
ernosernos
DD-WRT Novice


Joined: 15 May 2019
Posts: 3

PostPosted: Wed May 15, 2019 12:03    Post subject: Reply with quote
Wow that was a really quick answer. Can you explain it in more detail please? Also, is there anyway to test it? Just go to services -> OpenVPN and set to disable, would that be an accurate test?

Does this change need a router reboot?

Can you make a rule for me to block ALL incoming connections that doesn't go through OpenVPN?

Also, since I already have you here: Why is my DD-WRT setup page accessible through my WAN IP? I want that to only be accessible locally.

Best Regards.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3260
Location: Netherlands

PostPosted: Wed May 15, 2019 13:10    Post subject: Reply with quote
ernosernos wrote:
Wow that was a really quick answer. Can you explain it in more detail please? Also, is there anyway to test it? Just go to services -> OpenVPN and set to disable, would that be an accurate test?

Does this change need a router reboot?

Can you make a rule for me to block ALL incoming connections that doesn't go through OpenVPN?

Also, since I already have you here: Why is my DD-WRT setup page accessible through my WAN IP? I want that to only be accessible locally.

Best Regards.


To test just disable the OVPN client, do not worry your settings are retained Smile

Reboot is usually not necessary but to be sure reboot

All incoming connections are blocked by default that is what the firewall is for, my rule blocks connections originating from the router (br0) and going out of the WAN (VLAN2).

Your setup page should not be accessible from the WAN by default unless you enable it on Administration/Management/Remote Access

If you are referring to the System information page that is visible by default.
You can disable it on Administration/Management/Web Access, set the Enable Site info to Disabled or enable the password protection.

It is on by default, but you can not log in unless you enabled remote access

We have had discussions with the devs, although it is not a security risk per se, the fact that attackers can see what you are using can give them an attack vector.
So for my internet facing routers it is disabled

_________________
Routers: Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Patched SFE module to work with PBR: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318895
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
ernosernos
DD-WRT Novice


Joined: 15 May 2019
Posts: 3

PostPosted: Wed May 15, 2019 19:18    Post subject: Reply with quote
egc wrote:

We have had discussions with the devs, although it is not a security risk per se, the fact that attackers can see what you are using can give them an attack vector.
So for my internet facing routers it is disabled

Exactly to what I am reffering to, it is a security risk per se just to let the "attackers" know you run DD-WRT and what version.

Otherwise you pretty much answered my questions, although, one thing.

OpenVPN is activated in my router, by settings tab services -> OpenVPN. That's why I was asking for a good way to test out the settings.

Best Regards.

Wow, Amazing support on DD-WRT. I am loving this.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum