1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Confused as to how to make the kill switch work

Discussion in 'Asuswrt-Merlin' started by deepskydiver, May 11, 2018.

  1. deepskydiver

    deepskydiver New Around Here

    Joined:
    May 11, 2018
    Messages:
    5
    I have an ASUS RT-AC86U running 384.4_2

    First I want to block all traffic to the internet when the VPN goes down. I have a few locations set I change between.
    I can see a list of clients to route through the VPN and stop access if the VPN goes down. But I'd prefer to have it block _all_, not just those I list. So that any devices are routed and denied access if the VPN is down. Is that possible? Otherwise I need to fill in every device for every one of the 5 VPN profiles I use. And remember to add new ones or old ones not used now, correct?

    2. I want to have the currently connected VPN reconnect if and when the router restarts.
    I'd like the router to resume the currently active VPN when it (re)starts. Not the one set to "Start with WAN". As it currently appears to work I need to turn it "Start with WAN" off on one and then on for the other when I change profiles.

    I'm guessing the intention is to allow different devices to be able to route through different VPNs. But is there a way for the simpler case?
     
  2. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,272
    Location:
    UK
    Set 'Block routed clients if tunnel goes down=YES' only for VPN Client 5 and add the Selective Routing kill switch rules for all five of the VPN Clients (assuming your LAN prefix is 192.168.1):
    Code:
    Router     192.168.1.1       0.0.0.0     WAN
    All_LAN    192.168.1.0/24    0.0.0.0     VPN
    Alternatively you could add the following manual kill rules

    /jff/scripts/firewall-start
    Code:
    iptables -I FORWARD -i br0 -s $(nvram get lan_ipaddr | cut -d'.' -f1-3).0/24 -o $(nvram get wan0_ifname) -j DROP
    iptables -I FORWARD -i br0 -s $(nvram get lan_ipaddr) -o $(nvram get wan0_ifname) -j ACCEPT

    For tracking the active VPN client, you will need to save the appropriate state either to /jffs,USB attached drive or create a custom NVRAM variable in say the openvpn-event UP trigger script for each of the VPN clients configured

    /jffs/scripts/vpnclientX-up
    Code:
    #!/bin/sh
    nvram set vpn_client_active=${dev:4:1}
    nvram commit
    then include a manual explicit start for the last active VPN Client rather than use 'Start with WAN'

    /jffs/scripts/wan-start

    Code:
    if [ ! -z "$(nvram get vpn_client_active") ];then
       service restart_vpnclient$(nvram get vpn_client_active)
    fi
     
    Last edited: May 11, 2018
    deepskydiver likes this.
  3. deepskydiver

    deepskydiver New Around Here

    Joined:
    May 11, 2018
    Messages:
    5
    Thank you - I've done part one of that to focus on one thing at a time: redirecting all clients via the VPN(s) and having access stopped if no VPN is connected.

    I have 5 OpenVPN Clients defined. Client #1 is my default and so the only one with "Start with WAN" set to YES. My router IP is 192.168.50.1 so the rules I've added for all 5 clients are:

    Code:
    Router    192.168.50.1       0.0.0.0     WAN
    ALL_LAN   192.168.50.0/24    0.0.0.0     VPN
    
    .. and for my default VPN Client #1 only I've set "Block routed clients if tunnel goes down" to "YES".

    This works - thank you!

    Now I presume from your reply to only set one of the VPN clients to block if the tunnel goes down.
    So if I change VPN clients I need to move that instruction to block routed clients to be on (and only on) the client I connect with, correct?
    That's certainly what I found when testing, and I guess it makes sense if I consider inactive VPN profiles as 'active' in the sense that they need to be to block access if they're not up.

    Thanks again!
     
  4. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,272
    Location:
    UK
    Correct.
    No.

    The RPDB rules are applied in descending priority order, where VPN Client 1 is the highest priority and VPN Client 5 is the lowest.

    So if no VPN clients are active, then the kill switch applied to the highest priority VPN client will take effect, so for your requirement i.e. if no VPN Clients are UP, then using my suggestion, VPN Client 5 will enforce the kill switch.

    If then you start say VPN Client 3 then LAN traffic will use that tunnel, but if you stop the VPN Client 3 then VPN Client 5 will again apply the kill switch (unless of course VPN Client 5 is actually UP).

    If you were to apply the kill switch to say VPN Client 1, all LAN VPN tunnel traffic would be blocked if VPN Client 1 was DOWN - even if any or all of VPN Clients 2-5 were (concurrently) UP.
     
    Last edited: May 13, 2018
    borussia and deepskydiver like this.
  5. deepskydiver

    deepskydiver New Around Here

    Joined:
    May 11, 2018
    Messages:
    5
    Got it - thanks again.
    These subtleties are hard to infer without help.

    I've set it up exactly that way now and tested it successfully across all 5 clients.