Menu
What's new
By:
Filters Better Search

VPN Kill Switch Doesn't Work Temporarily Immediately After Rebooting

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

M

Magnetron

New Around Here
I'm running Merlin 386.3_2 on an RT-AC68U. I'm using the OpenVPN client with it set to connect when booted. The kill switch is enabled, and all internet traffic is set to be redirected over the VPN.

I've noticed that traffic is allowed to go over the WAN immediately after rebooting for a short time (about 15 seconds) after the router starts routing and before the VPN finishes connecting. Once the VPN connects, all traffic goes over the VPN. I verified the kill switch works properly if I kill the VPN client over SSH.

It also happens while the VPN is reconnecting after the WAN cable is disconnected and reconnected.

Interestingly, I'm not able to reproduce the problem if I switch from redirecting all traffic to PBR with a rule to send traffic from the entire subnet over the VPN. I would just leave it configured with the PBR rule, but I want to use Diversion and the VPN's DNS server.

I guess I could just configure the firewall to block traffic from going over the WAN, but I'd like to figure out what the problem is. Any ideas?
 
I can confirm this same behavior by actually watching the bootup process.

What I do is login via ssh to the router as soon as possible after bootup and run the following command.

Code: 
watch -tn1 'ip rule; echo; ip route show table ovpnc1'

When using "VPN Director (policy rules)", what you'll see is the following almost immediately.

Code: 
0:    from all lookup local
10210:    from 192.168.1.0/24 lookup ovpnc1
32766:    from all lookup main
32767:    from all lookup default

prohibit default

The alternate routing table for OpenVPN client #1 is denying access to the default route, *and* all traffic is being routed to it via the ip rule. That's what you want.

But if you switch to "Yes (all)", you get this instead.

Code: 
0:    from all lookup local
32766:    from all lookup main
32767:    from all lookup default

prohibit default

IOW, there is no ip rule to route *all* traffic to table ovpnc1! Eventually it does get added, but only once the OpenVPN client gets connected. During that time, the WAN is obviously exposed.

Code: 
0:    from all lookup local
10001:    from all lookup ovpnc1
32766:    from all lookup main
32767:    from all lookup default

104.26.8.66 via 10.182.0.141 dev tun11
10.182.0.1 via 10.182.0.141 dev tun11
193.36.224.85 via 192.168.63.1 dev eth0
104.26.9.66 via 10.182.0.141 dev tun11
10.182.0.141 dev tun11  proto kernel  scope link  src 10.182.0.142
172.67.69.81 via 10.182.0.141 dev tun11
192.168.63.1 dev eth0  proto kernel  scope link
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
10.8.0.0/24 dev tun21  proto kernel  scope link  src 10.8.0.1
192.168.63.0/24 dev eth0  proto kernel  scope link  src 192.168.63.102
192.168.61.0/24 via 192.168.63.1 dev eth0  metric 1
127.0.0.0/8 dev lo  scope link
default via 10.182.0.141 dev tun11

It would appear to be a timing issue that probably can be corrected by @RMerlin. In the meantime, a firewall rule should be sufficient as a temporary workaround.

www.snbforums.com

Kill switch doesn't work

It seems to me kill switch stopped working for me. I had 386.1.x FW and noticed after router reboot that my OpenVPN client is down and despite I had setting to prevent client access to Internet when VPN is down, client still had access to Internet. I could not make kill switch work so updated to...
www.snbforums.com www.snbforums.com
 
Last edited:
P.S. I can understand why this probably happened. Prior to the VPN Director, it was NOT possible to configure the kill switch for OpenVPN clients that were configured to route ALL over the VPN. You *had* to use routing policy as described by the OP. But w/ the introduction of the VPN Director, that capability became possible (one of many reasons the VPN Director is an improvement in the handling of routing policy). Most likely the choice of VPN Director vs. All changes the path of execution sufficiently to account for this (apparent) bug. As I said, I assume this can be corrected. Stuff like this happens when you make major changes.
 
You must log in or register to reply here.

Similar threads

J
Kill Switch & Lan Interface
Replies
0
Views
382
JTnola
J
M
Asus RT-AX57 Go Kill switch
Replies
7
Views
744
foz
F
S
VPN Director - 2 VPN Clients and Killswitch (3004.388.8_2)
Replies
12
Views
698
Skillz
S
eibgrad
Clarification and Discussion on Recent 388.8 Changes
2
Replies
25
Views
2K
eibgrad
eibgrad
J
SSH to disable VPN (or VPN kill switch)
Replies
11
Views
2K
Viktor Jaep
Viktor Jaep
Similar threads
Thread starter Title Forum Replies Date
B Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14 Asuswrt-Merlin 1
T Wireguard Client VPN not using DNS Asuswrt-Merlin 13
S Wireguard VPN doesn't work, buyer beware Asuswrt-Merlin 6
G VPN director configuration for qBittorrent Asuswrt-Merlin 7
J ASUS GT-AXE16000 CPU usage with VPN on lan machine Asuswrt-Merlin 25
I Wireguard VPN client does not autostart after reboot Asuswrt-Merlin 2
Z Sudden VPN client issues with RX-AX82U Asuswrt-Merlin 5
D VPN director issue on RT-AC86U (386.14 Merlin FW) Asuswrt-Merlin 9
S VPN Director - 2 VPN Clients and Killswitch (3004.388.8_2) Asuswrt-Merlin 12
6 VPN Director ok, device no connect. Asuswrt-Merlin 20

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 703 (members: 14, guests: 689)
Top