1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Confused as to how to make the kill switch work

Discussion in 'Asuswrt-Merlin' started by deepskydiver, May 11, 2018.

  1. deepskydiver

    deepskydiver New Around Here

    Joined:
    May 11, 2018
    Messages:
    7
    I have an ASUS RT-AC86U running 384.4_2

    First I want to block all traffic to the internet when the VPN goes down. I have a few locations set I change between.
    I can see a list of clients to route through the VPN and stop access if the VPN goes down. But I'd prefer to have it block _all_, not just those I list. So that any devices are routed and denied access if the VPN is down. Is that possible? Otherwise I need to fill in every device for every one of the 5 VPN profiles I use. And remember to add new ones or old ones not used now, correct?

    2. I want to have the currently connected VPN reconnect if and when the router restarts.
    I'd like the router to resume the currently active VPN when it (re)starts. Not the one set to "Start with WAN". As it currently appears to work I need to turn it "Start with WAN" off on one and then on for the other when I change profiles.

    I'm guessing the intention is to allow different devices to be able to route through different VPNs. But is there a way for the simpler case?
     
  2. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,882
    Location:
    UK
    Set 'Block routed clients if tunnel goes down=YES' only for VPN Client 5 and add the Selective Routing kill switch rules for all five of the VPN Clients (assuming your LAN prefix is 192.168.1):
    Code:
    Router     192.168.1.1       0.0.0.0     WAN
    All_LAN    192.168.1.0/24    0.0.0.0     VPN
    Alternatively you could add the following manual kill rules

    /jff/scripts/firewall-start
    Code:
    iptables -I FORWARD -i br0 -s $(nvram get lan_ipaddr | cut -d'.' -f1-3).0/24 -o $(nvram get wan0_ifname) -j DROP
    iptables -I FORWARD -i br0 -s $(nvram get lan_ipaddr) -o $(nvram get wan0_ifname) -j ACCEPT

    For tracking the active VPN client, you will need to save the appropriate state either to /jffs,USB attached drive or create a custom NVRAM variable in say the openvpn-event UP trigger script for each of the VPN clients configured

    /jffs/scripts/vpnclientX-up
    Code:
    #!/bin/sh
    nvram set vpn_client_active=${dev:4:1}
    nvram commit
    then include a manual explicit start for the last active VPN Client rather than use 'Start with WAN'

    /jffs/scripts/wan-start

    Code:
    if [ ! -z "$(nvram get vpn_client_active") ];then
       service restart_vpnclient$(nvram get vpn_client_active)
    fi
     
    Last edited: May 11, 2018
    deepskydiver likes this.
  3. deepskydiver

    deepskydiver New Around Here

    Joined:
    May 11, 2018
    Messages:
    7
    Thank you - I've done part one of that to focus on one thing at a time: redirecting all clients via the VPN(s) and having access stopped if no VPN is connected.

    I have 5 OpenVPN Clients defined. Client #1 is my default and so the only one with "Start with WAN" set to YES. My router IP is 192.168.50.1 so the rules I've added for all 5 clients are:

    Code:
    Router    192.168.50.1       0.0.0.0     WAN
    ALL_LAN   192.168.50.0/24    0.0.0.0     VPN
    
    .. and for my default VPN Client #1 only I've set "Block routed clients if tunnel goes down" to "YES".

    This works - thank you!

    Now I presume from your reply to only set one of the VPN clients to block if the tunnel goes down.
    So if I change VPN clients I need to move that instruction to block routed clients to be on (and only on) the client I connect with, correct?
    That's certainly what I found when testing, and I guess it makes sense if I consider inactive VPN profiles as 'active' in the sense that they need to be to block access if they're not up.

    Thanks again!
     
  4. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,882
    Location:
    UK
    Correct.
    No.

    The RPDB rules are applied in descending priority order, where VPN Client 1 is the highest priority and VPN Client 5 is the lowest.

    So if no VPN clients are active, then the kill switch applied to the highest priority VPN client will take effect, so for your requirement i.e. if no VPN Clients are UP, then using my suggestion, VPN Client 5 will enforce the kill switch.

    If then you start say VPN Client 3 then LAN traffic will use that tunnel, but if you stop the VPN Client 3 then VPN Client 5 will again apply the kill switch (unless of course VPN Client 5 is actually UP).

    If you were to apply the kill switch to say VPN Client 1, all LAN VPN tunnel traffic would be blocked if VPN Client 1 was DOWN - even if any or all of VPN Clients 2-5 were (concurrently) UP.
     
    Last edited: May 13, 2018
    borussia and deepskydiver like this.
  5. deepskydiver

    deepskydiver New Around Here

    Joined:
    May 11, 2018
    Messages:
    7
    Got it - thanks again.
    These subtleties are hard to infer without help.

    I've set it up exactly that way now and tested it successfully across all 5 clients.
     
  6. Frunk

    Frunk New Around Here

    Joined:
    Dec 18, 2019
    Messages:
    8
    Can the settings discussed above be used to have VPN redundancy? I.e. have 5 OpenVPN clients defined, and have all 5 clients ON at the same time so that if e.g. the client 1 server goes down, client 2 automatically takes over?
     
  7. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,882
    Location:
    UK
    If ALL 5 VPNs are UP, then as explained in the thread it will depend on the order of the entries defined in the individual VPN Client GUIs

    However, it may be simpler to only have only one VPN Client UP at a time, and switch as appropriate.
    e.g. use a script such as VPN Failover Monitor
     
  8. Frunk

    Frunk New Around Here

    Joined:
    Dec 18, 2019
    Messages:
    8
    Is this a "yes"? If so, how is it simpler to only have one OpenVPN client UP at a time and swithc as appropriate?

    Having only one VPN client can, by my logic, have uptime/reliability concerns. Having 5 clients running at the same time can eliminate this, and make the setup very reliable. To be clear, I am using VPN for privacy reasons (UP all the time, for all devices), not to bypass country restrictions etc.

    This is what my idea of having all 5 clients UP is:

    Client 1: server 1 in country X (home country)
    Client 2: server 2 in country X (home country)
    Client 3: server 3 in country X (home country)
    Client 4: server 1 in country Y (neighbouring country A)
    Client 5: server 1 in country Z (neighbouring country B)

    Start with WAN set to Yes on all clients.

    Explanation
    If a specific server in my home country goes down (e.g. server 1), then another server takes over (e.g. server 2 or 3).
    If there is a systemic issue with the entire server location in my home country that makes all servers unavailable, a server in country Y takes over.
    Etc.
    And by having Start with WAN set to Yes on all clients, a power outtage at my home makes sure all VPN clients will be up and running again when the router reboots. In theory a very reliable setup.

    Question is, however, does this work? If "yes", are there any performance issues by having 5 clients running at the same time?

    And if this works, there is one more thing I wonder:

    If client 1 goes down and client 2 takes over. When client 1 is available again, does that client take over?
    Or, if client 1 goes down and client 2 takes over. If client 2 goes down, if client 1 is then available again, does client 1 or client 3 take over?

    Thanks!
     
  9. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,882
    Location:
    UK
    Unless you have an HND-class router, I'd be amazed if you could stream multiple feeds through all five concurrents VPN Clients but in failover-mode it should be OK.

    You can configure server redundancy for each VPN client individually, so VPN client 1 could have say 10 or more (depends on NVRAM limits rather than an OpenVPN configuration limitation i.e. short DNS names or IPs) different servers defined, so if the VPN 1 connection is interrupted it should automatically use the next or random VPN ISP server from the list.

    Try it.
     
    Last edited: Dec 18, 2019
  10. Frunk

    Frunk New Around Here

    Joined:
    Dec 18, 2019
    Messages:
    8
    Okey, I need to clarify that I am a total noob, and I do not understand much of your answer.

    What does HND class router mean? I have a RT-AC5300.
    What is the practical difference by means of how you set your router settings between 1) streaming multiple feeds through all five concurrent VPN clients, and 2) having them set up for failover mode? I am interested in the failover mode (i.e. redundancy for max reliability).

    Are you saying here that what I described in my previous post cannot be done as the way I described, but it can be done all within one client?

    I just want to make clear how I define things in case your definition is different, so that we know we are talking about the same things:
    Client or OpenVPN client: the Merlin FW have the option of configuring 5 clients.
    Server: in each client one can upload the files for one server from the VPN provider you use.
    My conclusion: by setting up one (of the five) OpenVPN clients, you are setting up connection, or a tunnel, from your router to one of the servers of your VPN provider.

    Further I also thought that these OpenVPN clients are prioritized (as you mentioned in an earlier post, but I probably have misunderstood) so that if all clients are UP, the highest priority one is the only one that is in use.

    So, again, can I set up redundancy by having several VPN provider servers in backup somehow? If not by the way of several OpenVPN clients which I described in the beginning, then how?
     
  11. Frunk

    Frunk New Around Here

    Joined:
    Dec 18, 2019
    Messages:
    8
    https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

    "The Asuswrt-Firmware supports up to five OpenVPN Clients running concurrently. OpenVPN Client 1 has a higher priority than OpenVPN Client 2. OpenVPN Client 2 has a higher priority than OpenVPN Client 3 and so on. From my experience, If you have more than one OpenVPN client active, you must configure the router’s IP address to use the WAN interface. If you are using more than one OpenVPN Client, you only have to add the router’s IP address entry in the OpenVPN Client screen with the highest priority. For most people, this will be the OpenVPN Client 1 screen.
    Defining the router’s IP address to use the WAN interface and the priorities of the OpenVPN Clients is the first place to look if you experience issues with Policy Rules or traffic is not going where you expect it to."

    According to this article, running 5 concurrent OpenVPN clients is possible. Also it seems one have to add the:
    Router 192.168.1.1 0.0.0.0 WAN
    ...for just one of the OpenVPN clients, not all?