Explanation: When VPN is down, hosts that are pre-selected for VPN tunnel, on br0, stop receiving traffic from WAN as expected.
But, hosts on bridges other than br0 were still getting WAN traffic!
Question:
What do i need to add/change in order to stop WAN traffic on hosts belonging to other bridges as well. Not just for the br0, please?
History:
I used a 'Killswitch' script, courtesy of egc (via the original of eibgrad's) on my R7800. So thank you. But the same script does not work on my R9000 however.
My search on the Net led me to the script above from reddit.
Thank you. _________________ Life is a journey; travel alone makes it less enjoyable and lonely.
Last edited by DWCruiser on Fri Jun 17, 2022 3:52; edited 1 time in total
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Wed Jun 15, 2022 23:45 Post subject:
Hmm there must be a box killswitch on the new builds @VPN page...and yep this one you use is specifying br0...
you better use the embedded one as its better...
Do you have by any chance OpenVPN Policy Based Routing guide
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
Otherwise i used the egc simple line in the past
iptables -I FORWARD -i br0 -o $(get_wanface) -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
respectively you need more lines like this for the other bridges
also bear in mind if you copy paste this script from the forum there is a space/interval or tab in front each of the 3 iptables lines (forum has a space/intervals remove script)
In general all info on kill-switches or VPN here
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
In general, it's NOT a good idea to be creating your own firewall rules. The OpenVPN client has been greatly enhanced over recent years, including the use of a killswitch (which works whether you forward all WLAN/LAN traffic to the VPN, or only some using PBR) and by default, enforcement of a unidirectional tunnel w/ the Inbound Firewall option. By using your own firewall rules, you undermine much of this effort.
IOW, this isn't 2014 anymore. No one was more critical of how poorly things used to be implemented back then than me. But we've come a loooooong way since then. Users need to trust the current implementation until and unless it is proven to come up short.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Thu Jun 16, 2022 10:26 Post subject:
+1 for the optional killswitch in the GUI..
and reading the VPN guides... egc is taking very good care of those, to be up to date and incredibly useful !! _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Fri Jun 17, 2022 0:42 Post subject:
(SOLVED ISSUE)
Having read slowly egc's documentation on KILLSWITCH and reviewed each step, i realized where i went wrong.
Instead of temporarily entering an INCORRECT port or INCORRECT credential in order to mimic a broken OpenVPN tunnel and to validate the Killswitch's effectiveness, i mistakenly disabled the OpenVPN Client for validation.
This, of course, turned the Killswitch off completely (despite the Killswitch being ticked as on).
As a result, i got the builtin GUI Killswitch misdiagnosed. It led to my using a separate one, and the topic of this thread.
End note:
Alozaros wrote:
+1 for the optional killswitch in the GUI..
and reading the VPN guides... egc is taking very good care of those, to be up to date and incredibly useful !!
You're right, Alozaros. Thank you
eibgrad wrote:
In general, it's NOT a good idea to be creating your own firewall rules. ... By using your own firewall rules, you undermine much of this effort.
IOW, this isn't 2014 anymore. No one was more critical of how poorly things used to be implemented back then than me. But we've come a loooooong way since then. Users need to trust the current implementation until and unless it is proven to come up short.
Thanks for your insightful explanation and wisdom, and not less your sharp eyes. I was in a different orbit, back in 2014. I think.
Things have improved thanks to help and advice from @eibgrad
Many thanks for your detailed documentation, egc. I wish your note of 'The killswitch only works if the OpenVPN client is enabled' caught my attention earlier.
Again, i thank you you all for your great help in this case, and generally in the DD-WRT community.
Wishing you all a great day. _________________ Life is a journey; travel alone makes it less enjoyable and lonely.