[SOLVED] Killswitch

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Wed Jun 15, 2022 23:33    Post subject: [SOLVED] Killswitch Reply with quote
Calling experts on Killswitch. Smile

The Firewall script below works on my R9000 (on r49197 - 06-14-2022).

# killswitch
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br -j ACCEPT
iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Explanation: When VPN is down, hosts that are pre-selected for VPN tunnel, on br0, stop receiving traffic from WAN as expected.

But, hosts on bridges other than br0 were still getting WAN traffic!

Question:

What do i need to add/change in order to stop WAN traffic on hosts belonging to other bridges as well. Not just for the br0, please?

History:
I used a 'Killswitch' script, courtesy of egc (via the original of eibgrad's) on my R7800. So thank you. But the same script does not work on my R9000 however.

My search on the Net led me to the script above from reddit.

Thank you.

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.


Last edited by DWCruiser on Fri Jun 17, 2022 3:52; edited 1 time in total
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Jun 15, 2022 23:45    Post subject: Reply with quote
Hmm there must be a box killswitch on the new builds @VPN page...and yep this one you use is specifying br0...
you better use the embedded one as its better...
Do you have by any chance OpenVPN Policy Based Routing guide
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

Otherwise i used the egc simple line in the past

iptables -I FORWARD -i br0 -o $(get_wanface) -m state --state NEW -j REJECT --reject-with icmp-host-prohibited

respectively you need more lines like this for the other bridges

or you can try this way

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
for i in br0 ath1.1 br1; do
iptables -I FORWARD -i $i -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i $i -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i $i -p udp -o $WAN_IF -j REJECT
done


where in this line you add interfaces

for i in br0 ath1.1 br1; do

also bear in mind if you copy paste this script from the forum there is a space/interval or tab in front each of the 3 iptables lines Rolling Eyes (forum has a space/intervals remove script)

In general all info on kill-switches or VPN here
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Jun 16, 2022 1:01    Post subject: Reply with quote
In general, it's NOT a good idea to be creating your own firewall rules. The OpenVPN client has been greatly enhanced over recent years, including the use of a killswitch (which works whether you forward all WLAN/LAN traffic to the VPN, or only some using PBR) and by default, enforcement of a unidirectional tunnel w/ the Inbound Firewall option. By using your own firewall rules, you undermine much of this effort.

IOW, this isn't 2014 anymore. No one was more critical of how poorly things used to be implemented back then than me. But we've come a loooooong way since then. Users need to trust the current implementation until and unless it is proven to come up short.

BTW, the second firewall rule you posted isn't even correct. It says 'br' when presumably you meant 'br0'.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Jun 16, 2022 7:07    Post subject: Reply with quote
Like @eibgrad said, the built-in killswitch should usually do its job as explained on page 5 of the OpenVPN Client setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

Things have improved thanks to help and advice from @eibgrad Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Thu Jun 16, 2022 10:26    Post subject: Reply with quote
+1 for the optional killswitch in the GUI..
and reading the VPN guides... egc is taking very good care of those, to be up to date and incredibly useful !! Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Thu Jun 16, 2022 18:40    Post subject: Reply with quote
Guys,

Let me go through your advises, step by step, one at a time. I will post my answer, once done. Have spent a hour so far already.

Thank you all for your prompt and helpful replies.

Cheers

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Fri Jun 17, 2022 0:42    Post subject: Reply with quote
(SOLVED ISSUE)
Having read slowly egc's documentation on KILLSWITCH and reviewed each step, i realized where i went wrong.

Instead of temporarily entering an INCORRECT port or INCORRECT credential in order to mimic a broken OpenVPN tunnel and to validate the Killswitch's effectiveness, i mistakenly disabled the OpenVPN Client for validation.

This, of course, turned the Killswitch off completely (despite the Killswitch being ticked as on).

As a result, i got the builtin GUI Killswitch misdiagnosed. It led to my using a separate one, and the topic of this thread. Smile

End note:
Alozaros wrote:
+1 for the optional killswitch in the GUI..
and reading the VPN guides... egc is taking very good care of those, to be up to date and incredibly useful !! Cool


You're right, Alozaros. Thank you

eibgrad wrote:
In general, it's NOT a good idea to be creating your own firewall rules. ... By using your own firewall rules, you undermine much of this effort.

IOW, this isn't 2014 anymore. No one was more critical of how poorly things used to be implemented back then than me. But we've come a loooooong way since then. Users need to trust the current implementation until and unless it is proven to come up short.


Thanks for your insightful explanation and wisdom, and not less your sharp eyes. Smile I was in a different orbit, back in 2014. I think. Cool

egc wrote:
Like @eibgrad said, the built-in killswitch should usually do its job as explained on page 5 of the OpenVPN Client setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

Things have improved thanks to help and advice from @eibgrad Smile


Many thanks for your detailed documentation, egc. I wish your note of 'The killswitch only works if the OpenVPN client is enabled' caught my attention earlier.

Again, i thank you you all for your great help in this case, and generally in the DD-WRT community.

Wishing you all a great day.

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum