Cant access admin interface when kill switch is on and WAN is down

Johnny

Occasional Visitor
Router: AX86U
Firmware: 386.7_2

Issue started when my internet went down and I couldnt access router GUI.

I'm routing all my traffic through vpn with a kill switch. In this scenario, when my internet goes down I lose access to router GUI.

Is this supposed to happen? I sort of expected that since the admin interface is local it wouldn't interfere with vpn. When I turn off kill switch I dont have this issue.

Pings to router times out when I restart_wan. simulating WAN down, I restart cable modem and I also lose access to router GUI (until modem finishes rebooting).
 

eibgrad

Part of the Furniture
I see the problem.

When the WAN goes down and the killswitch is enabled, the only route in the OpenVPN client's routing table is a "prohibit default". IOW, NO routes for any local networks. So obviously the router can't be addressed. When the killswitch is NOT enabled and the WAN is disabled, the router simply eliminates the OpenVPN client's routing table completely, so things return to the main routing table where those local routes persist.

Exactly why there is a difference is unclear. But that does explain the behavior.
 
Last edited:

eibgrad

Part of the Furniture
P.S. I willing to bet that if you use the VPN Director under the same scenario rather than routing ALL your traffic over the VPN (even if that means specifying 192.168.1.0/24 for the rule), you won't have this problem. Why? Because when routing ALL your traffic over the VPN, that includes the router, which like the rest of the LAN, becomes dependent on the same OpenVPN routing table. But when using the VPN Director, this is NOT the case. The router remains bound to the WAN and the main routing table, the one w/ all the local routes.

But I'm just guessing at this point. You'd need to check.
 

eibgrad

Part of the Furniture
Hmm, the more I think about this, the more concerned I become. If I'm right about all this, then that suggests having the router bound to the OpenVPN client w/ the killswitch enabled is NOT a good idea. Seems to me it would make it impossible for the router to reestablish the OpenVPN client or do much of anything else until the WAN was (hopefully) restored. A sort of chicken and egg problem, if you know what I mean. It might just be prudent for anyone who intends to use the killswitch to use the VPN Director as well to avoid any such possibility.

Bear with me. I'm just thinking this through in my head. Perhaps I'm overlooking some things. But it does have me concerned enough to investigate further.
 

Johnny

Occasional Visitor
These are currently my rules for VPN redirector,

NordVPN Exception xxx iPad192.168.7.233/32WAN
NordVPN Exception xxx Laptop192.168.7.238/32WAN
VPN Exception Apple TV192.168.7.38/32WAN
VPN xxx Phone192.168.7.99/32WAN
NordVPN all devices192.168.7.0/24OVPN1


I am currently using 192.168.7.0/24 to route all traffic through vpn with the exception of a few clients.

For VPN redirector, I tried excluding the router's IP through a WAN rule, but I still lost access to admin gui.

You would think that the kill switch would do nothing with the devices that are routed through WAN wouldn't be affected. But oddly enough, from my testing they are.
 

Johnny

Occasional Visitor
Been tinkering with other configuration but nothing different seems to fix this. So is this how kill switch works in general or is it a bug?
 

Johnny

Occasional Visitor
P.S. I willing to bet that if you use the VPN Director under the same scenario rather than routing ALL your traffic over the VPN (even if that means specifying 192.168.1.0/24 for the rule), you won't have this problem. Why? Because when routing ALL your traffic over the VPN, that includes the router, which like the rest of the LAN, becomes dependent on the same OpenVPN routing table. But when using the VPN Director, this is NOT the case. The router remains bound to the WAN and the main routing table, the one w/ all the local routes.

But I'm just guessing at this point. You'd need to check.

I've already been using the VPN redirector.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top