Posted: Wed Jul 24, 2019 11:39 Post subject: VPN Kill Switch on router
I have a NAS where I have set up a PIA VPN connection, and I wish to omplement a killswitch in the routers firewall to block all traffic from my NAS if the VPN drops.
My NAS is a Synology DS918+ in case this is relevant.
I have tried the following which in my mind should work, but when I have this implemented my NAS cannot connect to the VPN
Code:
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 1194 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 1197 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 1198 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 8080 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 9201 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 53 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p tcp -s 192.168.1.60 --dport 502 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p tcp -s 192.168.1.60 --dport 501 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p tcp -s 192.168.1.60 --dport 443 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p tcp -s 192.168.1.60 --dport 110 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p tcp -s 192.168.1.60 --dport 80 -j ACCEPT # Required by PIA for OpenVPN
You can just block any new connection from the NAS out via the WAN:
Code:
iptables -I FORWARD -s 192.168.1.60/32 -o $(nvram get wan_iface) -m state --state NEW -j REJECT
Delete everything else!
Just tried this and it doesn't work. I still cannot connect to the VPN.
I don't know exactly how that line of code works, but from your description it sounds like it will "block any new connection" so if the VPN drops, and the NAS tried to make a new connection it is blocked. But won't this also block any reconnects to the VPN?
And isn't this also why I cannot connect to the VPN through my Synology now, since that would be a new connection?
You are in the fight track except I am ising Deluge instead of transmission. My reason for using Deluge is that I can label my downloads and automatically move downloads based on their label.
Also yes I am running the VPN on my Synology nas as an OpenVPN profile.
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Wed Jul 24, 2019 13:50 Post subject:
qbone wrote:
egc wrote:
You can just block any new connection from the NAS out via the WAN:
Code:
iptables -I FORWARD -s 192.168.1.60/32 -o $(nvram get wan_iface) -m state --state NEW -j REJECT
Delete everything else!
Just tried this and it doesn't work. I still cannot connect to the VPN.
I don't know exactly how that line of code works, but from your description it sounds like it will "block any new connection" so if the VPN drops, and the NAS tried to make a new connection it is blocked. But won't this also block any reconnects to the VPN?
And isn't this also why I cannot connect to the VPN through my Synology now, since that would be a new connection?
My bad I see you have setup the VPN on the NAS.
So you have to set the firewall rules on the NAS and not on the router.
On the NAS you can just block the regular LAN interface. You can better ask in the forum of your NAS for that
Ok I use this code to edit the setting file of transmission to bind it to the internal IP given by PIA.
Code:
sed -i 's/.*bind-address-ipv4.*/ "bind-address-ipv4": "'$ifconfig_local'",/' /opt/transmission/config/settings.json
It is all one line, maybe you can adapt it to deluge. I will have a quick look into deluge, but if you aren't binding or restricting it to the vpn somehow it can leak out over the normal net.
This is my code in the route-down.sh to kill transmission.
Code:
killall transmission-daemon
sed -i 's/.*bind-address-ipv4.*/ "bind-address-ipv4": "192.168.168.168",/' /opt/transmission/config/settings.json
If you just put "killall #whateverthedelugebinaryis#" should work.
ok
In route-up.sh and you need to add the path to deluge-console