VPN Kill Switch on router

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
qbone
DD-WRT Novice


Joined: 13 Feb 2018
Posts: 6

PostPosted: Wed Jul 24, 2019 11:39    Post subject: VPN Kill Switch on router Reply with quote
I have a NAS where I have set up a PIA VPN connection, and I wish to omplement a killswitch in the routers firewall to block all traffic from my NAS if the VPN drops.

My NAS is a Synology DS918+ in case this is relevant.

I have tried the following which in my mind should work, but when I have this implemented my NAS cannot connect to the VPN Sad

Code:
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 1194 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 1197 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 1198 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 8080 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 9201 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 53 -j ACCEPT # Required by PIA for OpenVPN

iptables -I FORWARD -p tcp -s 192.168.1.60 --dport 502 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p tcp -s 192.168.1.60 --dport 501 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p tcp -s 192.168.1.60 --dport 443 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p tcp -s 192.168.1.60 --dport 110 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p tcp -s 192.168.1.60 --dport 80 -j ACCEPT # Required by PIA for OpenVPN

iptables -I FORWARD -s 192.168.1.60 -j REJECT


The list of required open ports was found here: https://www.privateinternetaccess.com/helpdesk/kb/articles/what-ports-are-used-by-your-vpn-service
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Jul 24, 2019 12:04    Post subject: Reply with quote
You can just block any new connection from the NAS out via the WAN:
Code:
iptables -I FORWARD -s 192.168.1.60/32 -o $(nvram get wan_iface) -m state --state NEW -j REJECT


Delete everything else!

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
qbone
DD-WRT Novice


Joined: 13 Feb 2018
Posts: 6

PostPosted: Wed Jul 24, 2019 12:17    Post subject: Reply with quote
egc wrote:
You can just block any new connection from the NAS out via the WAN:
Code:
iptables -I FORWARD -s 192.168.1.60/32 -o $(nvram get wan_iface) -m state --state NEW -j REJECT


Delete everything else!


Just tried this and it doesn't work. I still cannot connect to the VPN.
I don't know exactly how that line of code works, but from your description it sounds like it will "block any new connection" so if the VPN drops, and the NAS tried to make a new connection it is blocked. But won't this also block any reconnects to the VPN?
And isn't this also why I cannot connect to the VPN through my Synology now, since that would be a new connection?
portsup
DD-WRT User


Joined: 20 Oct 2018
Posts: 210

PostPosted: Wed Jul 24, 2019 13:24    Post subject: Reply with quote
Why not just restrict the routing of the NAS to only go out over the VPN?

Why are you trying to stop the NAS from bypassing the VPN? Transmission? You can bind that to the VPN.


Last edited by portsup on Wed Jul 24, 2019 13:27; edited 1 time in total
qbone
DD-WRT Novice


Joined: 13 Feb 2018
Posts: 6

PostPosted: Wed Jul 24, 2019 13:27    Post subject: Reply with quote
portsup wrote:
Why not just restrict the routing of the NAS to only go out over the VPN?

I believe that is what I am trying to achieve Smile
portsup
DD-WRT User


Joined: 20 Oct 2018
Posts: 210

PostPosted: Wed Jul 24, 2019 13:29    Post subject: Reply with quote
Sorry if you answer the other bits I just edited I may be able to help you quicker.

As well the VPN is running on the NAS? Openvpn? If it is not transmission what is the app you are trying to restrict to vpn?



Ok slow/no reply. Could have been like chat. The way ddwrt does PBR to restrict the vpn to certain address is with this in route-up.sh

Code:
ip rule add from $IP table 10


"If" I know this right it tells whatever comes from $IP to go out on table 10 which is the vpn table.

If you stop it from destroying the table when the vpn drops it should prevent the ip specified in $IP from going anywhere.

I am guessing this is the code it destroys table 10 with in route-down.sh . So remove it.

Code:
ip route flush table 10

[/code]
qbone
DD-WRT Novice


Joined: 13 Feb 2018
Posts: 6

PostPosted: Wed Jul 24, 2019 13:44    Post subject: Reply with quote
You are in the fight track except I am ising Deluge instead of transmission. My reason for using Deluge is that I can label my downloads and automatically move downloads based on their label.

Also yes I am running the VPN on my Synology nas as an OpenVPN profile.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Jul 24, 2019 13:50    Post subject: Reply with quote
qbone wrote:
egc wrote:
You can just block any new connection from the NAS out via the WAN:
Code:
iptables -I FORWARD -s 192.168.1.60/32 -o $(nvram get wan_iface) -m state --state NEW -j REJECT


Delete everything else!


Just tried this and it doesn't work. I still cannot connect to the VPN.
I don't know exactly how that line of code works, but from your description it sounds like it will "block any new connection" so if the VPN drops, and the NAS tried to make a new connection it is blocked. But won't this also block any reconnects to the VPN?
And isn't this also why I cannot connect to the VPN through my Synology now, since that would be a new connection?


My bad I see you have setup the VPN on the NAS.
So you have to set the firewall rules on the NAS and not on the router.
On the NAS you can just block the regular LAN interface. You can better ask in the forum of your NAS for that

I was assuming you were running the VPN on the router

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
portsup
DD-WRT User


Joined: 20 Oct 2018
Posts: 210

PostPosted: Wed Jul 24, 2019 13:55    Post subject: Reply with quote
Ok I use this code to edit the setting file of transmission to bind it to the internal IP given by PIA.

Code:

sed -i 's/.*bind-address-ipv4.*/    "bind-address-ipv4": "'$ifconfig_local'",/' /opt/transmission/config/settings.json


It is all one line, maybe you can adapt it to deluge. I will have a quick look into deluge, but if you aren't binding or restricting it to the vpn somehow it can leak out over the normal net.

This is my code in the route-down.sh to kill transmission.

Code:

killall transmission-daemon
sed -i 's/.*bind-address-ipv4.*/    "bind-address-ipv4": "192.168.168.168",/' /opt/transmission/config/settings.json


If you just put "killall #whateverthedelugebinaryis#" should work.

ok
In route-up.sh and you need to add the path to deluge-console

Code:

deluge-console config -s listen_interface $ifconfig_local


and in route down

Code:
killall deluged



thats a start, you will need to test.

Do you also need help port forwarding for PIA?

Here is a link confirming you can make a killswitch with just routing. I should probably change my scripts to like that.

[url]
https://snikt.net/blog/2013/10/20/linux-how-to-force-an-application-to-use-a-given-vpn-tunnel/[/url]
qbone
DD-WRT Novice


Joined: 13 Feb 2018
Posts: 6

PostPosted: Wed Jul 24, 2019 18:32    Post subject: Reply with quote
Killing deluged is not a viable option. I want the service to run, but just drop the packages if the VPN is not running.

I thought this could be achieved by some firewall rules in the router, but I guess not.

Thanks for your effort portsup. I will take a look into the firewall on the NAS instead Smile
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Wed Jul 24, 2019 20:35    Post subject: Reply with quote
iptables -I FORWARD -s 192.168.1.60/32 -o $(nvram get wan_iface) -m state --state NEW -j REJECT
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 1194 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 1197 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 1198 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 8080 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 9201 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p udp -s 192.168.1.60 --dport 53 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p tcp -s 192.168.1.60 --dport 502 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p tcp -s 192.168.1.60 --dport 501 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p tcp -s 192.168.1.60 --dport 443 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p tcp -s 192.168.1.60 --dport 110 -j ACCEPT # Required by PIA for OpenVPN
iptables -I FORWARD -p tcp -s 192.168.1.60 --dport 80 -j ACCEPT # Required by PIA for OpenVPN

When you are inserting, you have to put the rules in the reverse order. First in, last on the list.
portsup
DD-WRT User


Joined: 20 Oct 2018
Posts: 210

PostPosted: Thu Jul 25, 2019 12:50    Post subject: Reply with quote
you can just bind deluge to your pia ip address, then just make sure the routing table isn't flushed.
portsup
DD-WRT User


Joined: 20 Oct 2018
Posts: 210

PostPosted: Sun Aug 04, 2019 14:54    Post subject: Reply with quote
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1172154
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum