[nima2019]

I'm trying to setup a VPN kill switch in my dd-wrt. I've found a few solutions online. I'm hoping someone can help me learn which one is a better path and why

Go to the Administration > Commands section and paste in the following script:

Option 1:

[egc]

They are all the same for most modern routers vlan2 is the WAN interface but older routers use vlan1

Therefore option 1 is not recommended

The difference between option 2 and 3 is the way the WAN interface is determined, options 2 is the "normal" one but theoretically there could be setups where that does not work so theoretically option 3 is the best

DROP is just dropping the packets, REJECT is gracefullly letting the clients know that there is no route, some older applications do not time out and in that case REJECT is the gracefull option.

state NEW is the more accurate as it only blocks the outgoing new connections

My favourite kill switch:

[eibgrad]

@egc does a very good job explaining it, but here's my take as well (esp. since I wrote the third option).

The first and second options are effectively the same, however, the first option *assumes* the WAN network interface is vlan2, which might not always be the case (for example, it might be vlan1 w/ some older routers), while the second option tries to determine the WAN's network interface name dynamically. So of those two, the second option is preferred.

That said, the use of the nvram variable wan_iface to determine the WAN's network interface name is itself not 100% reliable. In the case of client mode, it would likely fail. That's where the third option (the one I wrote ) is better. It parses the actual routing table to find the WAN's network interface.

Also, the third option offers the advantage of being able to support port forwarding to those same clients over the WAN because it's checking the state of the connection. But that comes at the price of *maybe* some client at bootup, before the firewall is completely established (there's always a small window of opportunity, perhaps just a couple seconds, where the WAN is up but the firewall lags) to get a connection started. And using the third option would NOT stop that connection from continuing.

So unless you need port forwarding to those same clients, the following is probably the most complete and simplest solution.

[egc]

An even better explanation than mine

(But to be honest a lot of my knowledge I have learned from @eibgrad and still learning)

[eibgrad]

I should add that, as @egc suggests, there is no one perfect solution that will work in absolutely every case.

For example, if you decide to use PBR (policy based routing) w/ the OpenVPN client, then obviously only *some* clients should be denied access to the WAN, specifically, those listed in the PBR field. That creates the need for a more complex kill switch that can discriminate among those using and NOT using the VPN. For that reason, I wrote the following script a few years ago to make it much simpler to manage a kill switch while using PBR.

https://pastebin.com/332rk3we

[nima2019]

Wow, thank you egc and eibgrad. That was very helpful. I ended up using the simpler option that eibgrad suggested.

[slidermike]

You could disable your vpn.

[nickant]

Interesting thread.
My VPN provider recommends Option 1.
I often alter the VPN server chosen to access different countries eg BBC iPlayer on UK servers.
Recently I misspelt the VPN server name in my EA8500 setup.
The VPN failed to connect successfully, but I still had internet access.
I tested the Option 3 Simplified version with a deliberate server typo > no internet = works great!

[eibgrad]

[nickant]

OK, but I'm not entirely sure about this.
ifconfig only on my Linux PC.
Can't really interpret the info.
My ISP provides a static IP for me.
The server IP address will change depending upon which VPN server I'm connected to.
Are you referring to the VLAN IP address ie router IP?
Maybe for dummies like me it's best that the firewall rule complete these enquiries dynamically as it does in Option 3 Simplified.