VPN Kill Switch

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Author Message
nima2019
DD-WRT Novice


Joined: 13 Apr 2019
Posts: 16

PostPosted: Fri Jun 21, 2019 15:22    Post subject: VPN Kill Switch Reply with quote
I'm trying to setup a VPN kill switch in my dd-wrt. I've found a few solutions online. I'm hoping someone can help me learn which one is a better path and why

Go to the Administration > Commands section and paste in the following script:

Option 1:
Quote:
iptables -I FORWARD -i br0 -o vlan2 -j DROP


Option 2:
Quote:
iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP


Option 3:
Quote:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Jun 21, 2019 16:29    Post subject: Reply with quote
They are all the same for most modern routers vlan2 is the WAN interface but older routers use vlan1

Therefore option 1 is not recommended

The difference between option 2 and 3 is the way the WAN interface is determined, options 2 is the "normal" one but theoretically there could be setups where that does not work so theoretically option 3 is the best

DROP is just dropping the packets, REJECT is gracefullly letting the clients know that there is no route, some older applications do not time out and in that case REJECT is the gracefull option.

state NEW is the more accurate as it only blocks the outgoing new connections

My favourite kill switch:
Code:
iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -m state --state NEW -j REJECT


But all will work (if you have a modern router with vlan2 as the WAN)

It is all a matter of opinion and there are also more like:
Code:
iptables -I FORWARD -s 192.168.0.0/16 -o $(nvram get wan_iface) -m state --state NEW -j REJECT

Usefull if you have more subnets and bridges as the rules we discussed only blocks traffic on br0

So there are a lot more all with its merits Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Jun 21, 2019 16:51    Post subject: Reply with quote
An even better explanation than mine Smile

(But to be honest a lot of my knowledge I have learned from @eibgrad and still learning)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
nima2019
DD-WRT Novice


Joined: 13 Apr 2019
Posts: 16

PostPosted: Sat Jun 22, 2019 0:32    Post subject: Reply with quote
Wow, thank you egc and eibgrad. That was very helpful. I ended up using the simpler option that eibgrad suggested.

Quote:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -o $WAN_IF -j REJECT


Is there anyway that I can verify that this is working and killing the internet connection when there is no VPN?

Thanks again
slidermike
DD-WRT Guru


Joined: 11 Nov 2013
Posts: 1487
Location: USA

PostPosted: Sat Jun 22, 2019 1:01    Post subject: Reply with quote
You could disable your vpn.
_________________
Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode

R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
nickant
DD-WRT User


Joined: 09 Feb 2016
Posts: 319

PostPosted: Sat Jun 22, 2019 4:56    Post subject: Reply with quote
Interesting thread.
My VPN provider recommends Option 1.
I often alter the VPN server chosen to access different countries eg BBC iPlayer on UK servers.
Recently I misspelt the VPN server name in my EA8500 setup.
The VPN failed to connect successfully, but I still had internet access.
I tested the Option 3 Simplified version with a deliberate server typo > no internet = works great!

_________________
------------------------------------
Netgear XR500 OpenWrt-23.05.3 (Gateway)
Linksys EA8500 OpenWrt-23.05.3 (Wired AP)
Linksys WRT3200ACM DD-WRT r55460 (spare Wired AP)
Netgear WNDR3700v4 DD-WRT r55460 (spare Gateway)
Photos: https://www.flickr.com/photos/nickant44/albums
nickant
DD-WRT User


Joined: 09 Feb 2016
Posts: 319

PostPosted: Sun Jun 23, 2019 0:56    Post subject: Reply with quote
OK, but I'm not entirely sure about this.
ifconfig only on my Linux PC.
Can't really interpret the info.
My ISP provides a static IP for me.
The server IP address will change depending upon which VPN server I'm connected to.
Are you referring to the VLAN IP address ie router IP?
Maybe for dummies like me it's best that the firewall rule complete these enquiries dynamically as it does in Option 3 Simplified.

_________________
------------------------------------
Netgear XR500 OpenWrt-23.05.3 (Gateway)
Linksys EA8500 OpenWrt-23.05.3 (Wired AP)
Linksys WRT3200ACM DD-WRT r55460 (spare Wired AP)
Netgear WNDR3700v4 DD-WRT r55460 (spare Gateway)
Photos: https://www.flickr.com/photos/nickant44/albums
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum