Protection in case of VPN disconnect

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
JakeGreen
DD-WRT Novice


Joined: 27 Apr 2014
Posts: 1

PostPosted: Sun Apr 27, 2014 19:23    Post subject: Protection in case of VPN disconnect Reply with quote
Hi,

Im using an ASUS RT-AC66U router configured for Private Internet Access (PIA) with the latest Kong build. Everything is working fine (albeit a bit slow compared to the Windows client), but I'd like to know if there is a way to configure the router to ONLY allow internet traffic through the VPN in the event of a VPN disconnect.

Currently, if the router loses connection to the PIA service (or doesn't connect at startup), my true IP address is exposed. And the only way to know this is by manually checking my IP address. The PIA Windows client has a "kill switch" feature that will cut all internet traffic if the connection to PIA is lost.

Can something like this be configured when connected to a VPN service through a dd-wrt configured router?
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 4793
Location: Akershus, Norway

PostPosted: Mon Apr 28, 2014 20:12    Post subject: Reply with quote
Disable NAT LAN->WAN.
avpman
DD-WRT Novice


Joined: 05 Sep 2008
Posts: 32

PostPosted: Tue Apr 29, 2014 12:34    Post subject: Reply with quote
Per Yngve Berg wrote:
Disable NAT LAN->WAN.


Hi,
I looked everywhere (well obviously not in the right place,) but where is this setting located in the DD-WRT menus? Also, what exactly will this do?

Thank you for your contributions!
rizla7
DD-WRT User


Joined: 11 May 2012
Posts: 293

PostPosted: Tue Apr 29, 2014 14:43    Post subject: Reply with quote
tldr (if you don't care why); hmm, you know how you can eliminate half the issues? put your vpn router on another subnet behind your WAN router.

therefore you can set static ip on the vpn router, and remove the default gateway. then all you need it a route to your vpn provider's IP through the main NAT router. presto.

if your vpn provider doesn't use static ip, you need more work on dns, and conditional forwarding.

better this way anyways, then you can maintain a separate wan and vpn connections, settings the gateway on the client to whichever you want to use.

----

disabling nat won't hide your dns requests if you're paranoid. that traffic will also hit your isp gateway.

not like it matters much. i guess it matters if you're using another lan or wap (public connection) for your wan connection.

in any case, this is only a problem because of DHCP on your WAN, if you have static ip (which vpn was meant to work with), then you solve half (or all) your problems in this case.

the reason is because dd-wrt will re-map the gateway of your pppoe provider to the routing table on a dd-wrt openvpn client.

you can however, block all traffic out the wan port in the FORWARD table, and also block DNS traffic in the OUTPUT table. then map static routes to your vpn provider IP. dd-wrt will still do the routing (cpu power), but will drop the traffic when it's outbound.

other alternative would be to remove the isp gateway when your vpn goes down and its re-added by dd-wrt. that probably happens sometime after route-down.sh runs when the vpn tunnel gets destroyed. or prevent dd-wrt from adding the pppoe gateway. not sure if that's done by script or within the dhcp client itself...

but, that would require locating the point at which it adds your default gateway back (from pppoe), and i don't know of such a script/event. it may be handled internally by some process, don't know.

you can just try blindly replacing the default gateway on route-up and startup for both pppoe and the vpn... although how to go about that, not exactly sure, and i don't think it's be perfect (there would be a few seconds between the remap possibly, meaning information leakage).

ask kong. he said he 'might' implement a feature.

imo all that would be required to fix this is an option for 'do not add wan/pppoe gateway to routing table' or something.

however, it would need to be an 'advanced' feature, since you would need to manually map a route to your vpn provider IP in this configuration. this is assuming your WAN gateway never changes, or would need scripts for that too ;o and if they don't use static ip, then you need routes to your ISP DNS servers... but that's not good enough, you need conditional forwarding for only the vpn provider domain, don't even know if that's possible on dd-wrt, might need linux/windows server.

so, in order to work with pppoe: (assuming we could block the addition of the pppoe gateway to the routing table, but still be able to retrieve it via script).

A. need a static route to VPN ip
B. if VPN uses dynamic ip, need routes to DNS servers (and conditional forwarding).
C. if your ISP gateway changes, you need a script for that, to set the routes in A. and B. above

----

there is one other alternative that i didn't think of until now.

vlans. separate your lan ports into 2 switches, and set policy-based routing and iptables for the 2nd vlan, allowing only vpn communication. then wire the 2 switches up to eachother. technically this could be done on a single router, but i wouldn't even want to attempt this Very Happy
dramos126
DD-WRT Novice


Joined: 17 Oct 2012
Posts: 12
Location: United States

PostPosted: Tue Sep 09, 2014 21:48    Post subject: Reply with quote
I was actually looking for this as well.

My current set up is
Modem >Linksys Home Router >Buffalo PPTP VPN Client(DDWRT)

I want to make sure whenever the VPN disconnects traffic is stopped and my IP is not left exposed.

If I understand correctly, which I probably am not (lol new at this), disabling NAT on my Buffalo router should keep me covered?
B3hdad
DD-WRT Novice


Joined: 24 Dec 2014
Posts: 42

PostPosted: Tue Dec 30, 2014 14:08    Post subject: Reply with quote
I wanted to do something similar...only on one router.
Please see this post as it might help:

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=940712#940712

All I did was specified the IP of devices that need to access VPN in the policy based routing under the VPN tab.

Then on the firewall used the following rule to drop packets
if VPN is not connected:

iptables -I FORWARD -s <ip-address> -o $(nvram get wan_iface) -j DROP

I think this is the kill switch isn't it?
jams775
DD-WRT Novice


Joined: 02 Jun 2013
Posts: 7

PostPosted: Fri Feb 13, 2015 16:54    Post subject: Reply with quote
B3hdad wrote:
I wanted to do something similar...only on one router.
Please see this post as it might help:

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=940712#940712

All I did was specified the IP of devices that need to access VPN in the policy based routing under the VPN tab.

Then on the firewall used the following rule to drop packets
if VPN is not connected:

iptables -I FORWARD -s <ip-address> -o $(nvram get wan_iface) -j DROP

I think this is the kill switch isn't it?


I'm trying to do the same thing and I'm wondering; what exactly do you put under the "Policy Based Routing" part of the VPN section? Do you just enter the IP or a command? and is the <ip-address> part the local lan ip (like 192.168.1.1?) or wan? I'm completely new to this so any extra help would be great.
B3hdad
DD-WRT Novice


Joined: 24 Dec 2014
Posts: 42

PostPosted: Fri Feb 13, 2015 22:46    Post subject: Reply with quote
Under the "Policy Based Routing" section you only specify the internal IP addresses and there is no need for a command. So for me I added the following couple of lines to say I want these devices to go through VPN:

192.168.1.1
192.168.1.2

You could also use a format like xxx.xxx.xxx.xxx/yy but it is probably easier for home users to specify the IPs individually.

As for <ip-address>, it refers to the internal IP address again. So for example, from the above two machines that go through VPN if I want to make sure that the first one doesn't connect to internet if VPN is unavailable I do:

iptables -I FORWARD -s 192.168.1.1 -o $(nvram get wan_iface) -j DROP

HTH.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum