Posted: Wed Jul 01, 2020 2:50 Post subject: openvpn with killswitch for Policy based Routing
i went into the openvpn client settings on the router and everything is working fine so far. i set up Policy based Routing so only 1 specific pc uses a vpn connection all the time. the only question i have left is how can i do something similar to a vpn killswitch on that Policy based Routing list? i have seen different commands but i am not sure because they all have different code so i dont know which will best fit my case since im assuming that some of those commands are for all connected devices instead of only Policy based Routing ips.
Joined: 04 Aug 2018 Posts: 1446 Location: Appalachian mountains, USA
Posted: Wed Jul 01, 2020 18:36 Post subject:
Edit: When I first posted the code below, I omitted an important qualification. This simple version of a PBR kill switch is ONLY for the classic simple PBR setup in which each line of the PBR window is only XXX.XXX.XXX.XXX or XXX.XXX.XXX.XXX/NN to specify IPs whose traffic should be routed through the VPN. If you are using the newer PBR features to specify IPs to route around the VPN or to specify routes, etc, this simple version isn't going to do it for you.
If you're not into reading shell scripts, what it does is to incorporate each line L of the PBR window into three iptables firewall rules of the form
iptables... -s L ...
Because the contents L of the PBR config line are used with -s in this way, L must be in a form compatible with -s, hence the restriction of the first paragraph above. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
sorry i guess i didnt mention it in the op but i went into the Services tab and then enabled OpenVPN client in the VPN tab. my vpn is connected across all devices. i was reading online a guide that said to simply go scrolll down to Policy Base Routing and enter the ip of the devices i would like to have access to the vpn, which is only 1 device for now.
i looked at ovpn-pbr-kill-switch-02.zip but im looking for clarification that under the VPN tab it will only apply to the PBR set to 192.168.1.115/32 will only apply to that and not the none vpn connected devices on the router.
edit: after reading and reading your post, i think it means that if i enter that code you posted, it will use the ip set in the vpn tab for pbr?
Joined: 08 May 2018 Posts: 14126 Location: Texas, USA
Posted: Thu Jul 02, 2020 19:33 Post subject:
Please consider upgrading to the latest release before asking for help if you have not already. Also, please state your router model/version and build you are currently running.
This database may not have up-to-date information and may even recommend a build which might cause issues. As such, you should check the device specific forum (Broadcom, Atheros, MediaTek, etc.) first before flashing any build recommended in this database. There you will find build specific topics that discuss any issues with a particular build/release. For more up-to-date firmware files, please visit the firmware faq.
YOU HAVE BEEN GIVEN FRIENDLY AND FAIR NOTICE
Fair warning, if I see the number 40559 at any point in the near future, I am just going to lock the thread. We no longer support that build as a community and it is a problematic build and anyone's suggestions may or may not work to fix your issues. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 04 Aug 2018 Posts: 1446 Location: Appalachian mountains, USA
Posted: Fri Jul 03, 2020 2:38 Post subject:
You are correct that if the PBR window contains just the one line "192.168.1.115/32", the kill switch I posted above will apply only to that one IP address.
You should understand also that dd-wrt uses one common DNS system, shared by VPN and non-VPN devices. Basically your one VPN-using device will be getting its DNS service from the non-VPN part of the router. If that's a concern, you may want to look over the PBR guide posted in the stickies at the top of the Advanced Networking forum. It's also linked to in the signature on any post by @egc, who posts in that forum frequently. I also discuss the simpler alternatives in my AirVPN how-to linked in my sig below. I use PBR on my routers and get around issues of a having DNS queries out in the open by using DNSCrypt, which can be enabled easily with the "Encrypt DNS" toggle in the dnsmasq setup in GUI>Services>Services. I like the Adguard provider choices there, but YMMV. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
gotcha and thank you. yes, that was something i noticed. when i was setting up the vpn in ddwrt, the first part was to set static dns which worked but i noticed the next day after doing tests of none vpn devices, i was indeed getting a weird dns that i never setup but found out it was my vpn dns. that was my next question but you answered the why. ill look over your suggested posts. just want to stay as safe as i can on those devices.
Joined: 04 Aug 2018 Posts: 1446 Location: Appalachian mountains, USA
Posted: Fri Jul 03, 2020 16:37 Post subject:
When your DNS connects, your VPN provider may push the IP of its own DNS server to dd-wrt, to the top of a list. Next in the list are your static DNS choices from the setup page, and last are your ISP-provided DNS servers.
If you want to be sure these are tried in order, the dnsmasq page has a button for that. Otherwise dnsmasq will sometimes use the others, even if just to see how they are performing, and it will favor those that respond quickly. None of these servers are accessed through the VPN, so queries will be unencrypted. This can be fixed with a special route command — see egc's guide — in the PBR window, but such a command will make my kill switch not work properly. If you happen to be a linux person who can work with shell scripts and sed, it shouldn't be hard to upgrade my code to do the right thing. Alternatively, egc's guide features a more serious script to create a kill switch, one that should handle the fancy new PBR features OK. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.