Posted: Fri Jun 21, 2019 15:22 Post subject: VPN Kill Switch
I'm trying to setup a VPN kill switch in my dd-wrt. I've found a few solutions online. I'm hoping someone can help me learn which one is a better path and why
Go to the Administration > Commands section and paste in the following script:
Option 1:
Quote:
iptables -I FORWARD -i br0 -o vlan2 -j DROP
Option 2:
Quote:
iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP
Option 3:
Quote:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Fri Jun 21, 2019 16:29 Post subject:
They are all the same for most modern routers vlan2 is the WAN interface but older routers use vlan1
Therefore option 1 is not recommended
The difference between option 2 and 3 is the way the WAN interface is determined, options 2 is the "normal" one but theoretically there could be setups where that does not work so theoretically option 3 is the best
DROP is just dropping the packets, REJECT is gracefullly letting the clients know that there is no route, some older applications do not time out and in that case REJECT is the gracefull option.
state NEW is the more accurate as it only blocks the outgoing new connections
My favourite kill switch:
Code:
iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -m state --state NEW -j REJECT
But all will work (if you have a modern router with vlan2 as the WAN)
It is all a matter of opinion and there are also more like:
Code:
iptables -I FORWARD -s 192.168.0.0/16 -o $(nvram get wan_iface) -m state --state NEW -j REJECT
Usefull if you have more subnets and bridges as the rules we discussed only blocks traffic on br0
Interesting thread.
My VPN provider recommends Option 1.
I often alter the VPN server chosen to access different countries eg BBC iPlayer on UK servers.
Recently I misspelt the VPN server name in my EA8500 setup.
The VPN failed to connect successfully, but I still had internet access.
I tested the Option 3 Simplified version with a deliberate server typo > no internet = works great! _________________ ------------------------------------
Netgear XR500 OpenWrt-23.05.3 (Gateway)
Linksys EA8500 OpenWrt-23.05.3 (Wired AP)
Linksys WRT3200ACM DD-WRT r55799 (spare Wired AP)
Netgear WNDR3700v4 DD-WRT r55779 (spare Gateway)
Photos: https://www.flickr.com/photos/nickant44/albums
OK, but I'm not entirely sure about this.
ifconfig only on my Linux PC.
Can't really interpret the info.
My ISP provides a static IP for me.
The server IP address will change depending upon which VPN server I'm connected to.
Are you referring to the VLAN IP address ie router IP?
Maybe for dummies like me it's best that the firewall rule complete these enquiries dynamically as it does in Option 3 Simplified. _________________ ------------------------------------
Netgear XR500 OpenWrt-23.05.3 (Gateway)
Linksys EA8500 OpenWrt-23.05.3 (Wired AP)
Linksys WRT3200ACM DD-WRT r55799 (spare Wired AP)
Netgear WNDR3700v4 DD-WRT r55779 (spare Gateway)
Photos: https://www.flickr.com/photos/nickant44/albums