VPN kill switch not working and selectively bypassing VPN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2, 3, 4, 5, 6  Next
Author Message
Randall88
DD-WRT Novice


Joined: 05 Oct 2014
Posts: 7

PostPosted: Mon Jan 11, 2016 20:21    Post subject: VPN kill switch not working and selectively bypassing VPN Reply with quote
So I've found out that my IPVanish VPN on my router is disconnecting very often.. not sure why.

Anyway, I was looking for a solution and found this (which I added to my firewall commands)
Code:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o eth1 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE


but for some reason it's not working. Perhaps I need to change the interface names to suit my setup ?

During my search on this topic, I've also found this customized script for IPVanish from eibgrad, which is supposedly allowing some IPs to 'bypass' the VPN and access internet in standard way - which would be very useful for me as well.

http://pastebin.com/xmetzKxb

But it's way to complex for my understanding - could someone explain the part where I need to specify the IP adresses ?

Thank you for help.
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon Jan 11, 2016 22:21    Post subject: Reply with quote
The following "kill switch" will prevent all clients on the private network from accessing the WAN should the VPN drop.

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset


As far as IPVanish, I see no reason they should require scripting to manage the OpenVPN client. Maybe years ago that was necessary, but not today. Because if you used the OpenVPN GUI, you could also use the policy based routing field to specify which source IPs you want to use the VPN. All others would only use the WAN. A lot simpler than having to learn all the details and modifications in that IPVanish script.

I also have a new script on PasteBin that automatically manages a kill switch based on the contents of the policy based routing field. The script reads the contents of policy based routing field and assumes all those IPs should also be prevented from accessing the WAN. So now you don't need to know anything about how to block the WAN should the VPN go down. It's all done for you, automatically.

http://pastebin.com/332rk3we
Randall88
DD-WRT Novice


Joined: 05 Oct 2014
Posts: 7

PostPosted: Tue Jan 12, 2016 20:16    Post subject: Reply with quote
omg, I love you! It works.
You're collecting so much positive karma on this forum, sharing your knowledge lol. Hope you get it back someday.

What language is the script based on ?
Or is that a unique dd-wrt thing ?

And you're right.. but the problem is, that I don't have the full vpn options in my router.


eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue Jan 12, 2016 20:36    Post subject: Reply with quote
The script is a bash script.

What OpenVPN options are missing? There's usually an Additional Config field for any directives not available via the predefined fields of the GUI.
Randall88
DD-WRT Novice


Joined: 05 Oct 2014
Posts: 7

PostPosted: Wed Jan 13, 2016 10:13    Post subject: Reply with quote
THe screenshot shows all the options I see..
I have no way to enter my login credentials, CA cert etc.

Do you have any idea why the VPN is dropping so much ?
This is my first paid VPN provider, so I'm not sure if this is normal. But for a paid subscription I'd expect the service to be 99% reliable.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed Jan 13, 2016 16:26    Post subject: Reply with quote
All I can assume is you're using a rather old dd-wrt build, because anything over the past few years has at least had an Additional Config field so you can add directives otherwise not available via the GUI. And your OpenVPN client doesn't have the policy based routing field either.

As far as the connection dropping, perhaps your OpenVPN client isn't implementing the OpenVPN keepalive directive (although I'm pretty sure most OpenVPN server's push it). Or maybe your version of OpenVPN is so out of date compared to the OpenVPN server, it's causing problems elsewhere.

So let's first make sure you're using the latest available dd-wrt build. No point getting into the finer points until that's the case. At least not if you want to use the GUI to configure OpenVPN.
Randall88
DD-WRT Novice


Joined: 05 Oct 2014
Posts: 7

PostPosted: Fri Jan 15, 2016 18:30    Post subject: Reply with quote
well, I am running the Firmware: DD-WRT v24-sp2 (10/10/09) vpn. All the downloads on the site are from 2009.. so I am not sure if there's a newer version ?

It's a Linksys WRT54GL.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Fri Jan 15, 2016 18:58    Post subject: Reply with quote
The dd-wrt database is woefully out of date in many cases. The developers have decided to let slide a bit given all the work they're doing supporting new hardware. And when it comes to older hardware, that's esp. the case. But that can be a problem. For example, there are known vulnerabilities in OpenVPN (or more precisely, in OpenSSL, which OpenVPN uses). I seem to recall even dd-wrt itself having some vulnerabilities a few years ago. And there have been many enhancements to OpenVPN itself since 2009.

So it's one thing if you were only using that router for say a client bridge or repeater, where being current is as big a deal. But for some features, like the VPN, it might be a good idea to update your firmware directly from Brainslayer's ftp libraries.

ftp://ftp.dd-wrt.com/betas/
Randall88
DD-WRT Novice


Joined: 05 Oct 2014
Posts: 7

PostPosted: Fri Jan 15, 2016 19:10    Post subject: Reply with quote
ok, thank you. I'll look through it and try to update.
Hopefully I won't encounter any problems during the process and the betas are stable.

The router is also incredibly underperforming with VPN connections (can't get a speed higher than 3mbps).. perhaps the update will solve this as well.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Fri Jan 15, 2016 20:11    Post subject: Reply with quote
Brainslyer always labels his builds as beta, I suppose just to make it clear that these differ from the official dd-wrt database. But it's been this way for YEARS, and everyone just knows if they need the latest and greatest, that's the place to grab them.

VPNs are notorious for placing high demands on system resources, so this isn't unexpected. And the fact you're using a rather old router doesn't help either. According to wikidevi.com ( https://wikidevi.com/wiki/Linksys_WRT54GL_v1.1 ), that router is using a measly 200MHz processor. Compare that to today's routers which can range anywhere from 500MHz up to 1.2GHz, some w/ dual core.

So you're never going to get great VPN performance w/ that router. And new firmware isn't going to be able to overcome the limitations of the hardware. Even some of today's better routers don't perform as well as ppl expect, and so some ppl eventually offload the process to another device like a NAS, PC, etc.
Randall88
DD-WRT Novice


Joined: 05 Oct 2014
Posts: 7

PostPosted: Sat Jan 16, 2016 10:40    Post subject: Reply with quote
aah, I see. thank you for all the info.
gavsiu
DD-WRT Novice


Joined: 19 Jan 2014
Posts: 13

PostPosted: Wed Feb 10, 2016 22:02    Post subject: Reply with quote
eibgrad wrote:
The following "kill switch" will prevent all clients on the private network from accessing the WAN should the VPN drop.

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset


As far as IPVanish, I see no reason they should require scripting to manage the OpenVPN client. Maybe years ago that was necessary, but not today. Because if you used the OpenVPN GUI, you could also use the policy based routing field to specify which source IPs you want to use the VPN. All others would only use the WAN. A lot simpler than having to learn all the details and modifications in that IPVanish script.

I also have a new script on PasteBin that automatically manages a kill switch based on the contents of the policy based routing field. The script reads the contents of policy based routing field and assumes all those IPs should also be prevented from accessing the WAN. So now you don't need to know anything about how to block the WAN should the VPN go down. It's all done for you, automatically.

http://pastebin.com/332rk3we


Many thanks. Your new script is the best working example I've found. Exactly what I needed.
Rieper2
DD-WRT Novice


Joined: 02 Jul 2016
Posts: 2

PostPosted: Sat Jul 02, 2016 7:44    Post subject: Reply with quote
I added some more features to this script as I needed selective routing for specific domains also. So perhaps have a look here: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1037913#1037913
dawg.biscoot
DD-WRT Novice


Joined: 24 Jul 2016
Posts: 1

PostPosted: Sun Jul 24, 2016 11:53    Post subject: Reply with quote
eibgrad wrote:
The following "kill switch" will prevent all clients on the private network from accessing the WAN should the VPN drop.

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset


As far as IPVanish, I see no reason they should require scripting to manage the OpenVPN client. Maybe years ago that was necessary, but not today. Because if you used the OpenVPN GUI, you could also use the policy based routing field to specify which source IPs you want to use the VPN. All others would only use the WAN. A lot simpler than having to learn all the details and modifications in that IPVanish script.

I also have a new script on PasteBin that automatically manages a kill switch based on the contents of the policy based routing field. The script reads the contents of policy based routing field and assumes all those IPs should also be prevented from accessing the WAN. So now you don't need to know anything about how to block the WAN should the VPN go down. It's all done for you, automatically.

http://pastebin.com/332rk3we



eibgrad, I haven't been able to test that this works. when I pasted the code snipped into firewall rulesin my dd-wrt and rebooted I still get vpn traffic with no issue but I lost webgui on that router. any advice?
jeffrice
DD-WRT Novice


Joined: 27 Jul 2016
Posts: 35

PostPosted: Mon Sep 05, 2016 17:35    Post subject: Reply with quote
How are folks testing to see if this works? I assume if I disable OpenVPN in the GUI, this won't be a good "simulation" of a disconnect.

Would killing the openvpn process work? I'm not sure that's really the best option - since in a normal disconnect I'd have openvpn still running (presumably) but no connection to the VPN itself.

Ideas please!
Goto page 1, 2, 3, 4, 5, 6  Next Display posts from previous:    Page 1 of 6
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum