openvpn with killswitch for Policy based Routing

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
droopie
DD-WRT Novice


Joined: 31 Dec 2014
Posts: 19

PostPosted: Wed Jul 01, 2020 2:50    Post subject: openvpn with killswitch for Policy based Routing Reply with quote
i went into the openvpn client settings on the router and everything is working fine so far. i set up Policy based Routing so only 1 specific pc uses a vpn connection all the time. the only question i have left is how can i do something similar to a vpn killswitch on that Policy based Routing list? i have seen different commands but i am not sure because they all have different code so i dont know which will best fit my case since im assuming that some of those commands are for all connected devices instead of only Policy based Routing ips.
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14126
Location: Texas, USA

PostPosted: Wed Jul 01, 2020 3:32    Post subject: Reply with quote
Did you check the PBR guide sticky at the top of the forum?
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Wed Jul 01, 2020 18:36    Post subject: Reply with quote
Edit: When I first posted the code below, I omitted an important qualification. This simple version of a PBR kill switch is ONLY for the classic simple PBR setup in which each line of the PBR window is only XXX.XXX.XXX.XXX or XXX.XXX.XXX.XXX/NN to specify IPs whose traffic should be routed through the VPN. If you are using the newer PBR features to specify IPs to route around the VPN or to specify routes, etc, this simple version isn't going to do it for you.
Code:
#vpn kill switch for PBR
  WAN_IF=$(ip route | awk '/^default/{print $NF}')
  grep '\S' /tmp/openvpncl/policy_ips \
  | while read pbr; do
      iptables -I FORWARD -s $pbr -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
      iptables -I FORWARD -s $pbr -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
      iptables -I FORWARD -s $pbr -p udp -o $WAN_IF -j REJECT
    done )

If you're not into reading shell scripts, what it does is to incorporate each line L of the PBR window into three iptables firewall rules of the form

iptables... -s L ...

Because the contents L of the PBR config line are used with -s in this way, L must be in a form compatible with -s, hence the restriction of the first paragraph above.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
droopie
DD-WRT Novice


Joined: 31 Dec 2014
Posts: 19

PostPosted: Thu Jul 02, 2020 19:02    Post subject: Reply with quote
sorry i guess i didnt mention it in the op but i went into the Services tab and then enabled OpenVPN client in the VPN tab. my vpn is connected across all devices. i was reading online a guide that said to simply go scrolll down to Policy Base Routing and enter the ip of the devices i would like to have access to the vpn, which is only 1 device for now.

here is the the main link which the guide used. https://www.privateinternetaccess.com/helpdesk/guides/routers/dd-wrt-3/dd-wrt-v40559-openvpn-setup

i looked at ovpn-pbr-kill-switch-02.zip but im looking for clarification that under the VPN tab it will only apply to the PBR set to 192.168.1.115/32 will only apply to that and not the none vpn connected devices on the router.

edit: after reading and reading your post, i think it means that if i enter that code you posted, it will use the ip set in the vpn tab for pbr?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14126
Location: Texas, USA

PostPosted: Thu Jul 02, 2020 19:33    Post subject: Reply with quote
Please consider upgrading to the latest release before asking for help if you have not already. Also, please state your router model/version and build you are currently running.

https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2020/06-25-2020-r43516/

Also, before you say, "but the router database says..."

https://dd-wrt.com/support/router-database/ wrote:
DISCLAIMER

This database may not have up-to-date information and may even recommend a build which might cause issues. As such, you should check the device specific forum (Broadcom, Atheros, MediaTek, etc.) first before flashing any build recommended in this database. There you will find build specific topics that discuss any issues with a particular build/release. For more up-to-date firmware files, please visit the firmware faq.

YOU HAVE BEEN GIVEN FRIENDLY AND FAIR NOTICE


Fair warning, if I see the number 40559 at any point in the near future, I am just going to lock the thread. We no longer support that build as a community and it is a problematic build and anyone's suggestions may or may not work to fix your issues.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
droopie
DD-WRT Novice


Joined: 31 Dec 2014
Posts: 19

PostPosted: Thu Jul 02, 2020 20:05    Post subject: Reply with quote
im using a tmobile rebranded AC68u so this is the file that is flashed on my router. dd-wrt-43516-Asus_RT-AC66U.trx if that helps any.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Fri Jul 03, 2020 2:38    Post subject: Reply with quote
You are correct that if the PBR window contains just the one line "192.168.1.115/32", the kill switch I posted above will apply only to that one IP address.

You should understand also that dd-wrt uses one common DNS system, shared by VPN and non-VPN devices. Basically your one VPN-using device will be getting its DNS service from the non-VPN part of the router. If that's a concern, you may want to look over the PBR guide posted in the stickies at the top of the Advanced Networking forum. It's also linked to in the signature on any post by @egc, who posts in that forum frequently. I also discuss the simpler alternatives in my AirVPN how-to linked in my sig below. I use PBR on my routers and get around issues of a having DNS queries out in the open by using DNSCrypt, which can be enabled easily with the "Encrypt DNS" toggle in the dnsmasq setup in GUI>Services>Services. I like the Adguard provider choices there, but YMMV.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
droopie
DD-WRT Novice


Joined: 31 Dec 2014
Posts: 19

PostPosted: Fri Jul 03, 2020 3:06    Post subject: Reply with quote
gotcha and thank you. yes, that was something i noticed. when i was setting up the vpn in ddwrt, the first part was to set static dns which worked but i noticed the next day after doing tests of none vpn devices, i was indeed getting a weird dns that i never setup but found out it was my vpn dns. that was my next question but you answered the why. ill look over your suggested posts. just want to stay as safe as i can on those devices.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Fri Jul 03, 2020 16:37    Post subject: Reply with quote
When your DNS connects, your VPN provider may push the IP of its own DNS server to dd-wrt, to the top of a list. Next in the list are your static DNS choices from the setup page, and last are your ISP-provided DNS servers.

If you want to be sure these are tried in order, the dnsmasq page has a button for that. Otherwise dnsmasq will sometimes use the others, even if just to see how they are performing, and it will favor those that respond quickly. None of these servers are accessed through the VPN, so queries will be unencrypted. This can be fixed with a special route command — see egc's guide — in the PBR window, but such a command will make my kill switch not work properly. If you happen to be a linux person who can work with shell scripts and sed, it shouldn't be hard to upgrade my code to do the right thing. Alternatively, egc's guide features a more serious script to create a kill switch, one that should handle the fancy new PBR features OK.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum