VPN Kill Switch

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
manchesterblack
DD-WRT User


Joined: 04 Mar 2021
Posts: 65
Location: Manchester

PostPosted: Fri Apr 16, 2021 0:02    Post subject: VPN Kill Switch Reply with quote
I am on the latest DDWRT using Netgear R7000 and I need a kill switch for my VPN.
1. I have read this post https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=957052 but that was written in 2015 and I am not sure if this is up to date.
2.Am told I can use the following command code

iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP

and save firewall.
3. I also found this one here code

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br -j ACCEPT
iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

which one should I use?

_________________
Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500

Smart DNS - YES

server-https https://9.9.9.9/dns-query
server-tls 9.9.9.9:853 -host-name: dns.quad9.net
server-tls 5.2.75.75:853 -host-name: dot.nl.ahadns.net
server-https https://1.1.1.1/dns-query

Additional VPN Configuration-
pull-filter ignore "dhcp-option DNS6 "
pull-filter ignore "dhcp-option DNS "

Dnsmasq Additional Options

server=/pool.ntp.org/9.9.9.9
server=/pool.ntp.org/1.0.0.1
server=/adquard-dns.com/9.9.9.9


BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Fri Apr 16, 2021 0:22    Post subject: Reply with quote
Why not just wait until the next build is released:

https://svn.dd-wrt.com/changeset/46340

It's not like this topic isn't being discussed this week:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=328877

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=328706

This is a topic that is not hardware-dependent, so moving it to the Advanced Networking forum where it belongs.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
manchesterblack
DD-WRT User


Joined: 04 Mar 2021
Posts: 65
Location: Manchester

PostPosted: Fri Apr 16, 2021 0:48    Post subject: Reply with quote
@kernel-panic69 I am new and I do apologise. I saw this topic on the same thread so added it but cheers for moving it.
I realise a new build is coming out with a kill switch but I have just upgraded and I may not upgrade again until six months. I just wanted to know which of the three listed kill switch I could use.
Again DDWRT bosses, my apologies.

_________________
Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500

Smart DNS - YES

server-https https://9.9.9.9/dns-query
server-tls 9.9.9.9:853 -host-name: dns.quad9.net
server-tls 5.2.75.75:853 -host-name: dot.nl.ahadns.net
server-https https://1.1.1.1/dns-query

Additional VPN Configuration-
pull-filter ignore "dhcp-option DNS6 "
pull-filter ignore "dhcp-option DNS "

Dnsmasq Additional Options

server=/pool.ntp.org/9.9.9.9
server=/pool.ntp.org/1.0.0.1
server=/adquard-dns.com/9.9.9.9


BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Fri Apr 16, 2021 1:29    Post subject: Reply with quote
Sorry for being a little short, I just was trying to answer your question and get this topic where it would have better visibility so other people could answer.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
manchesterblack
DD-WRT User


Joined: 04 Mar 2021
Posts: 65
Location: Manchester

PostPosted: Fri Apr 16, 2021 10:23    Post subject: Reply with quote
I will wait as you recommended because you are the only one who replied and I appreciate the assistance.
_________________
Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500

Smart DNS - YES

server-https https://9.9.9.9/dns-query
server-tls 9.9.9.9:853 -host-name: dns.quad9.net
server-tls 5.2.75.75:853 -host-name: dot.nl.ahadns.net
server-https https://1.1.1.1/dns-query

Additional VPN Configuration-
pull-filter ignore "dhcp-option DNS6 "
pull-filter ignore "dhcp-option DNS "

Dnsmasq Additional Options

server=/pool.ntp.org/9.9.9.9
server=/pool.ntp.org/1.0.0.1
server=/adquard-dns.com/9.9.9.9


BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Fri Apr 16, 2021 11:41    Post subject: Reply with quote
that's the one i have currently...
it does work

iptables -I FORWARD -i br0 -o $(get_wanface) -m state --state NEW -j REJECT --reject-with icmp-host-prohibited

or this one if you want more general cut off

iptables -I FORWARD -o $(get_wanface) -m state --state NEW -j REJECT

there is another one that does the 'same job'

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT

pick one of those above and save in commands> click save firewall

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum