What's new

Cant access admin interface when kill switch is on and WAN is down

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Johnny

Occasional Visitor
Router: AX86U
Firmware: 386.7_2

Issue started when my internet went down and I couldnt access router GUI.

I'm routing all my traffic through vpn with a kill switch. In this scenario, when my internet goes down I lose access to router GUI.

Is this supposed to happen? I sort of expected that since the admin interface is local it wouldn't interfere with vpn. When I turn off kill switch I dont have this issue.

Pings to router times out when I restart_wan. simulating WAN down, I restart cable modem and I also lose access to router GUI (until modem finishes rebooting).
 
I see the problem.

When the WAN goes down and the killswitch is enabled, the only route in the OpenVPN client's routing table is a "prohibit default". IOW, NO routes for any local networks. So obviously the router can't be addressed. When the killswitch is NOT enabled and the WAN is disabled, the router simply eliminates the OpenVPN client's routing table completely, so things return to the main routing table where those local routes persist.

Exactly why there is a difference is unclear. But that does explain the behavior.
 
Last edited:
P.S. I willing to bet that if you use the VPN Director under the same scenario rather than routing ALL your traffic over the VPN (even if that means specifying 192.168.1.0/24 for the rule), you won't have this problem. Why? Because when routing ALL your traffic over the VPN, that includes the router, which like the rest of the LAN, becomes dependent on the same OpenVPN routing table. But when using the VPN Director, this is NOT the case. The router remains bound to the WAN and the main routing table, the one w/ all the local routes.

But I'm just guessing at this point. You'd need to check.
 
Hmm, the more I think about this, the more concerned I become. If I'm right about all this, then that suggests having the router bound to the OpenVPN client w/ the killswitch enabled is NOT a good idea. Seems to me it would make it impossible for the router to reestablish the OpenVPN client or do much of anything else until the WAN was (hopefully) restored. A sort of chicken and egg problem, if you know what I mean. It might just be prudent for anyone who intends to use the killswitch to use the VPN Director as well to avoid any such possibility.

Bear with me. I'm just thinking this through in my head. Perhaps I'm overlooking some things. But it does have me concerned enough to investigate further.
 
These are currently my rules for VPN redirector,

disable.svg
NordVPN Exception xxx iPad192.168.7.233/32WAN
disable.svg
NordVPN Exception xxx Laptop192.168.7.238/32WAN
enable.svg
VPN Exception Apple TV192.168.7.38/32WAN
enable.svg
VPN xxx Phone192.168.7.99/32WAN
enable.svg
NordVPN all devices192.168.7.0/24OVPN1


I am currently using 192.168.7.0/24 to route all traffic through vpn with the exception of a few clients.

For VPN redirector, I tried excluding the router's IP through a WAN rule, but I still lost access to admin gui.

You would think that the kill switch would do nothing with the devices that are routed through WAN wouldn't be affected. But oddly enough, from my testing they are.
 
Been tinkering with other configuration but nothing different seems to fix this. So is this how kill switch works in general or is it a bug?
 
P.S. I willing to bet that if you use the VPN Director under the same scenario rather than routing ALL your traffic over the VPN (even if that means specifying 192.168.1.0/24 for the rule), you won't have this problem. Why? Because when routing ALL your traffic over the VPN, that includes the router, which like the rest of the LAN, becomes dependent on the same OpenVPN routing table. But when using the VPN Director, this is NOT the case. The router remains bound to the WAN and the main routing table, the one w/ all the local routes.

But I'm just guessing at this point. You'd need to check.

I've already been using the VPN redirector.
 
Glad I found this thread.

Been having this problem, but these responses are a bit vague for me.

Is the fix just to add another rule to add to VPN Director, and if it is, what are the specific settings to just allow the router IP to ignore the killswitch?

Apologies, am no expert with these things and would love to have the solution.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top