VPN kill switch not working and selectively bypassing VPN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2, 3, 4, 5  Next
Author Message
Randall88
DD-WRT Novice


Joined: 05 Oct 2014
Posts: 7

PostPosted: Mon Jan 11, 2016 20:21    Post subject: VPN kill switch not working and selectively bypassing VPN Reply with quote
So I've found out that my IPVanish VPN on my router is disconnecting very often.. not sure why.

Anyway, I was looking for a solution and found this (which I added to my firewall commands)
Code:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o eth1 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE


but for some reason it's not working. Perhaps I need to change the interface names to suit my setup ?

During my search on this topic, I've also found this customized script for IPVanish from eibgrad, which is supposedly allowing some IPs to 'bypass' the VPN and access internet in standard way - which would be very useful for me as well.

http://pastebin.com/xmetzKxb

But it's way to complex for my understanding - could someone explain the part where I need to specify the IP adresses ?

Thank you for help.
Sponsor
Randall88
DD-WRT Novice


Joined: 05 Oct 2014
Posts: 7

PostPosted: Tue Jan 12, 2016 20:16    Post subject: Reply with quote
omg, I love you! It works.
You're collecting so much positive karma on this forum, sharing your knowledge lol. Hope you get it back someday.

What language is the script based on ?
Or is that a unique dd-wrt thing ?

And you're right.. but the problem is, that I don't have the full vpn options in my router.


Randall88
DD-WRT Novice


Joined: 05 Oct 2014
Posts: 7

PostPosted: Wed Jan 13, 2016 10:13    Post subject: Reply with quote
THe screenshot shows all the options I see..
I have no way to enter my login credentials, CA cert etc.

Do you have any idea why the VPN is dropping so much ?
This is my first paid VPN provider, so I'm not sure if this is normal. But for a paid subscription I'd expect the service to be 99% reliable.
Randall88
DD-WRT Novice


Joined: 05 Oct 2014
Posts: 7

PostPosted: Fri Jan 15, 2016 18:30    Post subject: Reply with quote
well, I am running the Firmware: DD-WRT v24-sp2 (10/10/09) vpn. All the downloads on the site are from 2009.. so I am not sure if there's a newer version ?

It's a Linksys WRT54GL.
Randall88
DD-WRT Novice


Joined: 05 Oct 2014
Posts: 7

PostPosted: Fri Jan 15, 2016 19:10    Post subject: Reply with quote
ok, thank you. I'll look through it and try to update.
Hopefully I won't encounter any problems during the process and the betas are stable.

The router is also incredibly underperforming with VPN connections (can't get a speed higher than 3mbps).. perhaps the update will solve this as well.
Randall88
DD-WRT Novice


Joined: 05 Oct 2014
Posts: 7

PostPosted: Sat Jan 16, 2016 10:40    Post subject: Reply with quote
aah, I see. thank you for all the info.
gavsiu
DD-WRT Novice


Joined: 19 Jan 2014
Posts: 13

PostPosted: Wed Feb 10, 2016 22:02    Post subject: Reply with quote
eibgrad wrote:
The following "kill switch" will prevent all clients on the private network from accessing the WAN should the VPN drop.

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset


As far as IPVanish, I see no reason they should require scripting to manage the OpenVPN client. Maybe years ago that was necessary, but not today. Because if you used the OpenVPN GUI, you could also use the policy based routing field to specify which source IPs you want to use the VPN. All others would only use the WAN. A lot simpler than having to learn all the details and modifications in that IPVanish script.

I also have a new script on PasteBin that automatically manages a kill switch based on the contents of the policy based routing field. The script reads the contents of policy based routing field and assumes all those IPs should also be prevented from accessing the WAN. So now you don't need to know anything about how to block the WAN should the VPN go down. It's all done for you, automatically.

http://pastebin.com/332rk3we


Many thanks. Your new script is the best working example I've found. Exactly what I needed.
Rieper2
DD-WRT Novice


Joined: 02 Jul 2016
Posts: 2

PostPosted: Sat Jul 02, 2016 7:44    Post subject: Reply with quote
I added some more features to this script as I needed selective routing for specific domains also. So perhaps have a look here: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1037913#1037913
dawg.biscoot
DD-WRT Novice


Joined: 24 Jul 2016
Posts: 1

PostPosted: Sun Jul 24, 2016 11:53    Post subject: Reply with quote
eibgrad wrote:
The following "kill switch" will prevent all clients on the private network from accessing the WAN should the VPN drop.

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset


As far as IPVanish, I see no reason they should require scripting to manage the OpenVPN client. Maybe years ago that was necessary, but not today. Because if you used the OpenVPN GUI, you could also use the policy based routing field to specify which source IPs you want to use the VPN. All others would only use the WAN. A lot simpler than having to learn all the details and modifications in that IPVanish script.

I also have a new script on PasteBin that automatically manages a kill switch based on the contents of the policy based routing field. The script reads the contents of policy based routing field and assumes all those IPs should also be prevented from accessing the WAN. So now you don't need to know anything about how to block the WAN should the VPN go down. It's all done for you, automatically.

http://pastebin.com/332rk3we



eibgrad, I haven't been able to test that this works. when I pasted the code snipped into firewall rulesin my dd-wrt and rebooted I still get vpn traffic with no issue but I lost webgui on that router. any advice?
jeffrice
DD-WRT Novice


Joined: 27 Jul 2016
Posts: 36

PostPosted: Mon Sep 05, 2016 17:35    Post subject: Reply with quote
How are folks testing to see if this works? I assume if I disable OpenVPN in the GUI, this won't be a good "simulation" of a disconnect.

Would killing the openvpn process work? I'm not sure that's really the best option - since in a normal disconnect I'd have openvpn still running (presumably) but no connection to the VPN itself.

Ideas please!
jeanericblass
DD-WRT Novice


Joined: 01 Mar 2016
Posts: 11

PostPosted: Mon Feb 06, 2017 10:39    Post subject: Reply with quote
eibgrad wrote:
The following "kill switch" will prevent all clients on the private network from accessing the WAN should the VPN drop.

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset


As far as IPVanish, I see no reason they should require scripting to manage the OpenVPN client. Maybe years ago that was necessary, but not today. Because if you used the OpenVPN GUI, you could also use the policy based routing field to specify which source IPs you want to use the VPN. All others would only use the WAN. A lot simpler than having to learn all the details and modifications in that IPVanish script.

I also have a new script on PasteBin that automatically manages a kill switch based on the contents of the policy based routing field. The script reads the contents of policy based routing field and assumes all those IPs should also be prevented from accessing the WAN. So now you don't need to know anything about how to block the WAN should the VPN go down. It's all done for you, automatically.

http://pastebin.com/332rk3we
https://www.vpnranks.com/vpn-with-kill-switch/

Thanks for sharing such a very useful information.
Farizno
DD-WRT Novice


Joined: 19 Apr 2017
Posts: 19

PostPosted: Sun Apr 23, 2017 14:51    Post subject: Reply with quote
eibgrad wrote:
I also have a new script on PasteBin that automatically manages a kill switch based on the contents of the policy based routing field. The script reads the contents of policy based routing field and assumes all those IPs should also be prevented from accessing the WAN. So now you don't need to know anything about how to block the WAN should the VPN go down. It's all done for you, automatically.

http://pastebin.com/332rk3we


Thank you for all your hard work. I have pasted this in my firewall scripts and will see how it works. Every night my VPN connection drops some time while I'm sleeping. I don't know if there is some sort of server reset or disconnect from IPVanish, or if it it just coincidence. I will see tomorrow morning if it happens again. Hopefully the IPs in my pbr fields will not be allowed on the WAN.
cecoates
DD-WRT Novice


Joined: 24 Jul 2015
Posts: 16

PostPosted: Mon May 01, 2017 17:36    Post subject: Reply with quote
jeffrice wrote:
How are folks testing to see if this works? I assume if I disable OpenVPN in the GUI, this won't be a good "simulation" of a disconnect.

Would killing the openvpn process work? I'm not sure that's really the best option - since in a normal disconnect I'd have openvpn still running (presumably) but no connection to the VPN itself.

Ideas please!


I go to the Services->VPN tab, and then intentionally alter the VPN Server IP/Name by one character.

Throw in an extra letter or number, click save and then apply settings. It'll attempt to reconnect to the VPN at the new (most likely broken) address.

When I know the killswitch is working, I change it back, click save and apply settings again, and you're back in business.
cecoates
DD-WRT Novice


Joined: 24 Jul 2015
Posts: 16

PostPosted: Wed May 03, 2017 6:15    Post subject: Reply with quote
eibgrad wrote:

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset


I'm new to these iptables commands and I'm curious about how this works. If your router rebooted, couldn't the non-VPN connection get interpreted as the connection you want, and connecting to the VPN end up being the NEW state? Resulting in the opposite of what you're going for?
kandrew
DD-WRT Novice


Joined: 03 May 2017
Posts: 1

PostPosted: Wed May 03, 2017 19:47    Post subject: Reply with quote
Hi,

I'm trying to accomplish something similar to what people have described but am failing miserably.

My VPN is setup and working (OpenVPN, PIA).
The kill switch kindly provided by eibgrad works perfectly as expected however:

I’m trying to add two external /24 IP ranges that should never go over the VPN. Before applying the kill switch I’d add the following to the openvpn options

route XXX.XXX.XXX.XXX 255.255.255.0 net_gateway
route XXX.XXX.XXX.XXX 255.255.255.0 net_gateway

This worked fine however since adding the kill switch I can no longer access the ip ranges that should bypass the VPN

Does anyone know how to accomplish this?

Thanks in advance
Goto page 1, 2, 3, 4, 5  Next Display posts from previous:    Page 1 of 5
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum