[SOLVED] "killswitch" doesn't fully kill & how

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
JackPollack
DD-WRT User


Joined: 22 May 2015
Posts: 59

PostPosted: Wed Jun 29, 2022 17:28    Post subject: [SOLVED] "killswitch" doesn't fully kill & how Reply with quote
firmware r48607
Using OpenVPN

I have a firewall rule
Code:
iptables -I FORWARD -s 192.168.0.28 -o vlan2 -j DROP

and this set
Code:
ip route add default dev tun1 table 200
ip rule add from 192.168.0.28 table 200

If I run command
Code:
killall openvpn


The "STATUS - OPEENVPN" page shows that the VPN is down as expected but if I try to browse the internet on the .28 device (which should only be connected over the VPN) after 5 min the browser does render the page sometimes (sometimes it times out as expected). I don't think thse pages are browser cached and they could be a new google search

A traceroute from .28 when the VPN is up takes 1 second as expected when the VPN is down it takes 5 minutes to complete (very slow on each hop) but eventually completes and returns
Code:
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
 1  * 192.168.1.1 (192.168.1.1)  4.789 ms  266.605 ms
 2  182.157.64.1 (182.157.64.1)  11.577 ms  12.225 ms  7.943 ms
 3  68.173.202.188 (68.173.202.188)  15.400 ms  267.406 ms  12.024 ms
 4  68.173.198.56 (68.173.198.56)  20.236 ms  15.717 ms  28.289 ms
 5  66.109.6.78 (66.109.6.78)  17.732 ms  183.490 ms
    107.14.19.24 (107.14.19.24)  16.981 ms
 6  66.109.5.138 (66.109.5.138)  15.709 ms
    66.109.6.27 (66.109.6.27)  242.718 ms
    66.109.5.138 (66.109.5.138)  247.722 ms
 7  209.85.172.46 (209.85.172.46)  13.920 ms
    24.30.200.163 (24.30.200.163)  15.725 ms
    72.14.212.114 (72.14.212.114)  273.217 ms
 8  * * *
 9  8.8.8.8 (8.8.8.8)  15.788 ms *  131.192 ms


Why doesn't my firewall rule totally kill the .28 devise when the VPN is down? How can I make this work as expected (totally kill internet for .28 when VPN is down)?

Why/how is it working if the firewall is down. ie I would like to understand how it is still working and why if it is, it is so slow (would think I'm connected or not)

I know there is a lot of other config stuff I could provide, but this post is already getting long so I'm hoping this info may be enough to answer the question (of course I can provide more if requested
Sponsor
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 1901
Location: All over YOUR webs

PostPosted: Wed Jun 29, 2022 17:35    Post subject: Reply with quote
Hello there.

First you should be using a current build http://ftp.dd-wrt.com/dd-wrtv2/downloads/betas/2022/06-29-2022-r49392/

Then consider sharing screenshots of your setup.

If any questions consider reading the OpenVPN guide written by our resident and beloved M.C.H.O and tunneling expert egc.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Wed Jun 29, 2022 17:40    Post subject: Reply with quote
Why are you NOT using the GUI to manage all this? It has its own PBR (policy based routing) and a proper killswitch, even a watchdog!, all of which is known to work correctly.

As far as your specific coding, it *assumes* vlan2 is the network interface for the WAN. That's not always the case! Did you verify this by dumping the main routing table?

Code:
ip route


P.S. That's why the following is safer.

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -s 192.168.0.28 -o $WAN_IF -j DROP

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
JackPollack
DD-WRT User


Joined: 22 May 2015
Posts: 59

PostPosted: Wed Jun 29, 2022 19:05    Post subject: Reply with quote
I ran into some problems I think it was related to the USB/NAS settings. After 2 weeks of fooling around with it I finally gave up and went with older version of the firmware. Can't remember the specifics.

If I cant get my way to work correctly I will try the GUI PBR but would like to try to fix this and understand it if possible.

ip route returns
Code:
default via x.x.x.x dev eth0
127.0.0.0/8 dev lo scope link
y.y.y.y/23 dev tun1 scope link  src z.z.z.z
a.a.a.0/19 dev eth0 scope link  src b.b.b.b
192.168.1.0/24 dev br0 scope link  src 192.168.1.1


eth0 is the normal WAN
tun1 is the VPN

I dont think I should change the firewall rule to tun1 (should I?)
iptables -I FORWARD -s 192.168.0.28 -o tun1 -j DROP <---- ??????
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Wed Jun 29, 2022 19:08    Post subject: Reply with quote
JackPollack wrote:
I ran into some problems I think it was related to the USB/NAS settings. After 2 weeks of fooling around with it I finally gave up and went with older version of the firmware. Can't remember the specifics.

If I cant get my way to work correctly I will try the GUI PBR but would like to try to fix this and understand it if possible.

ip route returns
Code:
default via x.x.x.x dev eth0
127.0.0.0/8 dev lo scope link
y.y.y.y/23 dev tun1 scope link  src z.z.z.z
a.a.a.0/19 dev eth0 scope link  src b.b.b.b
192.168.1.0/24 dev br0 scope link  src 192.168.1.1


eth0 is the normal WAN
tun1 is the VPN

I dont think I should change the firewall rule to tun1 (should I?)
iptables -I FORWARD -s 192.168.0.28 -o tun1 -j DROP <---- ??????


As I worried, vlan2 is NOT the WAN. It's eth0! That's the output network interface (-o) you want blocked.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10404
Location: Netherlands

PostPosted: Wed Jun 29, 2022 19:15    Post subject: Reply with quote
The GUI is there especially for people who need help in setting these things up Smile

If you want to setup a manual killswitch use @eibgrads suggestion.

The OpenVPN client setup guide has a similar one.
Reading a manual sometimes helps Wink

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
JackPollack
DD-WRT User


Joined: 22 May 2015
Posts: 59

PostPosted: Thu Jun 30, 2022 13:23    Post subject: Reply with quote
Thanks everyone.

changing the firewall rule solved the issue

working:
iptables -I FORWARD -s 192.168.1.28 -o eth0 -j DROP
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum