Posted: Sun Apr 27, 2014 19:23 Post subject: Protection in case of VPN disconnect
Im using an ASUS RT-AC66U router configured for Private Internet Access (PIA) with the latest Kong build. Everything is working fine (albeit a bit slow compared to the Windows client), but I'd like to know if there is a way to configure the router to ONLY allow internet traffic through the VPN in the event of a VPN disconnect.
Currently, if the router loses connection to the PIA service (or doesn't connect at startup), my true IP address is exposed. And the only way to know this is by manually checking my IP address. The PIA Windows client has a "kill switch" feature that will cut all internet traffic if the connection to PIA is lost.
Can something like this be configured when connected to a VPN service through a dd-wrt configured router?
tldr (if you don't care why); hmm, you know how you can eliminate half the issues? put your vpn router on another subnet behind your WAN router.
therefore you can set static ip on the vpn router, and remove the default gateway. then all you need it a route to your vpn provider's IP through the main NAT router. presto.
if your vpn provider doesn't use static ip, you need more work on dns, and conditional forwarding.
better this way anyways, then you can maintain a separate wan and vpn connections, settings the gateway on the client to whichever you want to use.
disabling nat won't hide your dns requests if you're paranoid. that traffic will also hit your isp gateway.
not like it matters much. i guess it matters if you're using another lan or wap (public connection) for your wan connection.
in any case, this is only a problem because of DHCP on your WAN, if you have static ip (which vpn was meant to work with), then you solve half (or all) your problems in this case.
the reason is because dd-wrt will re-map the gateway of your pppoe provider to the routing table on a dd-wrt openvpn client.
you can however, block all traffic out the wan port in the FORWARD table, and also block DNS traffic in the OUTPUT table. then map static routes to your vpn provider IP. dd-wrt will still do the routing (cpu power), but will drop the traffic when it's outbound.
other alternative would be to remove the isp gateway when your vpn goes down and its re-added by dd-wrt. that probably happens sometime after route-down.sh runs when the vpn tunnel gets destroyed. or prevent dd-wrt from adding the pppoe gateway. not sure if that's done by script or within the dhcp client itself...
but, that would require locating the point at which it adds your default gateway back (from pppoe), and i don't know of such a script/event. it may be handled internally by some process, don't know.
you can just try blindly replacing the default gateway on route-up and startup for both pppoe and the vpn... although how to go about that, not exactly sure, and i don't think it's be perfect (there would be a few seconds between the remap possibly, meaning information leakage).
ask kong. he said he 'might' implement a feature.
imo all that would be required to fix this is an option for 'do not add wan/pppoe gateway to routing table' or something.
however, it would need to be an 'advanced' feature, since you would need to manually map a route to your vpn provider IP in this configuration. this is assuming your WAN gateway never changes, or would need scripts for that too ;o and if they don't use static ip, then you need routes to your ISP DNS servers... but that's not good enough, you need conditional forwarding for only the vpn provider domain, don't even know if that's possible on dd-wrt, might need linux/windows server.
so, in order to work with pppoe: (assuming we could block the addition of the pppoe gateway to the routing table, but still be able to retrieve it via script).
A. need a static route to VPN ip
B. if VPN uses dynamic ip, need routes to DNS servers (and conditional forwarding).
C. if your ISP gateway changes, you need a script for that, to set the routes in A. and B. above
there is one other alternative that i didn't think of until now.
vlans. separate your lan ports into 2 switches, and set policy-based routing and iptables for the 2nd vlan, allowing only vpn communication. then wire the 2 switches up to eachother. technically this could be done on a single router, but i wouldn't even want to attempt this
All I did was specified the IP of devices that need to access VPN in the policy based routing under the VPN tab.
Then on the firewall used the following rule to drop packets
if VPN is not connected:
iptables -I FORWARD -s <ip-address> -o $(nvram get wan_iface) -j DROP
I think this is the kill switch isn't it?
I'm trying to do the same thing and I'm wondering; what exactly do you put under the "Policy Based Routing" part of the VPN section? Do you just enter the IP or a command? and is the <ip-address> part the local lan ip (like 192.168.1.1?) or wan? I'm completely new to this so any extra help would be great.
Under the "Policy Based Routing" section you only specify the internal IP addresses and there is no need for a command. So for me I added the following couple of lines to say I want these devices to go through VPN:
You could also use a format like xxx.xxx.xxx.xxx/yy but it is probably easier for home users to specify the IPs individually.
As for <ip-address>, it refers to the internal IP address again. So for example, from the above two machines that go through VPN if I want to make sure that the first one doesn't connect to internet if VPN is unavailable I do:
iptables -I FORWARD -s 192.168.1.1 -o $(nvram get wan_iface) -j DROP