Confused as to how to make the kill switch work

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

deepskydiver

New Around Here
I have an ASUS RT-AC86U running 384.4_2

First I want to block all traffic to the internet when the VPN goes down. I have a few locations set I change between.
I can see a list of clients to route through the VPN and stop access if the VPN goes down. But I'd prefer to have it block _all_, not just those I list. So that any devices are routed and denied access if the VPN is down. Is that possible? Otherwise I need to fill in every device for every one of the 5 VPN profiles I use. And remember to add new ones or old ones not used now, correct?

2. I want to have the currently connected VPN reconnect if and when the router restarts.
I'd like the router to resume the currently active VPN when it (re)starts. Not the one set to "Start with WAN". As it currently appears to work I need to turn it "Start with WAN" off on one and then on for the other when I change profiles.

I'm guessing the intention is to allow different devices to be able to route through different VPNs. But is there a way for the simpler case?
 

Martineau

Part of the Furniture
I want to block all traffic to the internet when the VPN goes down. I have a few locations set I change between.
I can see a list of clients to route through the VPN and stop access if the VPN goes down. But I'd prefer to have it block _all_, not just those I list. So that any devices are routed and denied access if the VPN is down. Is that possible?
Set 'Block routed clients if tunnel goes down=YES' only for VPN Client 5 and add the Selective Routing kill switch rules for all five of the VPN Clients (assuming your LAN prefix is 192.168.1):
Code:
Router     192.168.1.1       0.0.0.0     WAN
All_LAN    192.168.1.0/24    0.0.0.0     VPN
Alternatively you could add the following manual kill rules

/jff/scripts/firewall-start
Code:
iptables -I FORWARD -i br0 -s $(nvram get lan_ipaddr | cut -d'.' -f1-3).0/24 -o $(nvram get wan0_ifname) -j DROP
iptables -I FORWARD -i br0 -s $(nvram get lan_ipaddr) -o $(nvram get wan0_ifname) -j ACCEPT
I want to have the currently connected VPN reconnect if and when the router restarts. I'd like the router to resume the currently active VPN when it (re)starts. Not the one set to "Start with WAN"
For tracking the active VPN client, you will need to save the appropriate state either to /jffs,USB attached drive or create a custom NVRAM variable in say the openvpn-event UP trigger script for each of the VPN clients configured

/jffs/scripts/vpnclientX-up
Code:
#!/bin/sh
nvram set vpn_client_active=${dev:4:1}
nvram commit
then include a manual explicit start for the last active VPN Client rather than use 'Start with WAN'

/jffs/scripts/wan-start

Code:
if [ ! -z "$(nvram get vpn_client_active") ];then
   service restart_vpnclient$(nvram get vpn_client_active)
fi
 
Last edited:

deepskydiver

New Around Here
Thank you - I've done part one of that to focus on one thing at a time: redirecting all clients via the VPN(s) and having access stopped if no VPN is connected.

I have 5 OpenVPN Clients defined. Client #1 is my default and so the only one with "Start with WAN" set to YES. My router IP is 192.168.50.1 so the rules I've added for all 5 clients are:

Code:
Router    192.168.50.1       0.0.0.0     WAN
ALL_LAN   192.168.50.0/24    0.0.0.0     VPN
.. and for my default VPN Client #1 only I've set "Block routed clients if tunnel goes down" to "YES".

This works - thank you!

Now I presume from your reply to only set one of the VPN clients to block if the tunnel goes down.
So if I change VPN clients I need to move that instruction to block routed clients to be on (and only on) the client I connect with, correct?
That's certainly what I found when testing, and I guess it makes sense if I consider inactive VPN profiles as 'active' in the sense that they need to be to block access if they're not up.

Thanks again!
 

Martineau

Part of the Furniture
Now I presume from your reply to only set one of the VPN clients to block if the tunnel goes down.
Correct.
So if I change VPN clients I need to move that instruction to block routed clients to be on (and only on) the client I connect with, correct?
No.

The RPDB rules are applied in descending priority order, where VPN Client 1 is the highest priority and VPN Client 5 is the lowest.

So if no VPN clients are active, then the kill switch applied to the highest priority VPN client will take effect, so for your requirement i.e. if no VPN Clients are UP, then using my suggestion, VPN Client 5 will enforce the kill switch.

If then you start say VPN Client 3 then LAN traffic will use that tunnel, but if you stop the VPN Client 3 then VPN Client 5 will again apply the kill switch (unless of course VPN Client 5 is actually UP).

If you were to apply the kill switch to say VPN Client 1, all LAN VPN tunnel traffic would be blocked if VPN Client 1 was DOWN - even if any or all of VPN Clients 2-5 were (concurrently) UP.
 
Last edited:

deepskydiver

New Around Here
Got it - thanks again.
These subtleties are hard to infer without help.

I've set it up exactly that way now and tested it successfully across all 5 clients.
 

Frunk

New Around Here
Can the settings discussed above be used to have VPN redundancy? I.e. have 5 OpenVPN clients defined, and have all 5 clients ON at the same time so that if e.g. the client 1 server goes down, client 2 automatically takes over?
 

Martineau

Part of the Furniture
Can the settings discussed above be used to have VPN redundancy? I.e. have 5 OpenVPN clients defined, and have all 5 clients ON at the same time so that if e.g. the client 1 server goes down, client 2 automatically takes over?
If ALL 5 VPNs are UP, then as explained in the thread it will depend on the order of the entries defined in the individual VPN Client GUIs

However, it may be simpler to only have only one VPN Client UP at a time, and switch as appropriate.
e.g. use a script such as VPN Failover Monitor
 

Frunk

New Around Here
If ALL 5 VPNs are UP, then as explained in the thread it will depend on the order of the entries defined in the individual VPN Client GUIs
Is this a "yes"? If so, how is it simpler to only have one OpenVPN client UP at a time and swithc as appropriate?

Having only one VPN client can, by my logic, have uptime/reliability concerns. Having 5 clients running at the same time can eliminate this, and make the setup very reliable. To be clear, I am using VPN for privacy reasons (UP all the time, for all devices), not to bypass country restrictions etc.

This is what my idea of having all 5 clients UP is:

Client 1: server 1 in country X (home country)
Client 2: server 2 in country X (home country)
Client 3: server 3 in country X (home country)
Client 4: server 1 in country Y (neighbouring country A)
Client 5: server 1 in country Z (neighbouring country B)

Start with WAN set to Yes on all clients.

Explanation
If a specific server in my home country goes down (e.g. server 1), then another server takes over (e.g. server 2 or 3).
If there is a systemic issue with the entire server location in my home country that makes all servers unavailable, a server in country Y takes over.
Etc.
And by having Start with WAN set to Yes on all clients, a power outtage at my home makes sure all VPN clients will be up and running again when the router reboots. In theory a very reliable setup.

Question is, however, does this work? If "yes", are there any performance issues by having 5 clients running at the same time?

And if this works, there is one more thing I wonder:

If client 1 goes down and client 2 takes over. When client 1 is available again, does that client take over?
Or, if client 1 goes down and client 2 takes over. If client 2 goes down, if client 1 is then available again, does client 1 or client 3 take over?

Thanks!
 

Martineau

Part of the Furniture
Is this a "yes"? If so, how is it simpler to only have one OpenVPN client UP at a time and swithc as appropriate?

Having only one VPN client can, by my logic, have uptime/reliability concerns. Having 5 clients running at the same time can eliminate this, and make the setup very reliable. To be clear, I am using VPN for privacy reasons (UP all the time, for all devices), not to bypass country restrictions etc.

This is what my idea of having all 5 clients UP is:

Client 1: server 1 in country X (home country)
Client 2: server 2 in country X (home country)
Client 3: server 3 in country X (home country)
Client 4: server 1 in country Y (neighbouring country A)
Client 5: server 1 in country Z (neighbouring country B)

Start with WAN set to Yes on all clients.

Explanation
If a specific server in my home country goes down (e.g. server 1), then another server takes over (e.g. server 2 or 3).
If there is a systemic issue with the entire server location in my home country that makes all servers unavailable, a server in country Y takes over.
Etc.
And by having Start with WAN set to Yes on all clients, a power outtage at my home makes sure all VPN clients will be up and running again when the router reboots. In theory a very reliable setup.

Question is, however, does this work? If "yes", are there any performance issues by having 5 clients running at the same time?

And if this works, there is one more thing I wonder:

If client 1 goes down and client 2 takes over. When client 1 is available again, does that client take over?
Or, if client 1 goes down and client 2 takes over. If client 2 goes down, if client 1 is then available again, does client 1 or client 3 take over?

Thanks!
Unless you have an HND-class router, I'd be amazed if you could stream multiple feeds through all five concurrents VPN Clients but in failover-mode it should be OK.

You can configure server redundancy for each VPN client individually, so VPN client 1 could have say 10 or more (depends on NVRAM limits rather than an OpenVPN configuration limitation i.e. short DNS names or IPs) different servers defined, so if the VPN 1 connection is interrupted it should automatically use the next or random VPN ISP server from the list.

Try it.
 
Last edited:

Frunk

New Around Here
Okey, I need to clarify that I am a total noob, and I do not understand much of your answer.

Unless you have an HND-class router, I'd be amazed if you could stream multiple feeds through all five concurrents VPN Clients but in failover-mode it should be OK.
What does HND class router mean? I have a RT-AC5300.
What is the practical difference by means of how you set your router settings between 1) streaming multiple feeds through all five concurrent VPN clients, and 2) having them set up for failover mode? I am interested in the failover mode (i.e. redundancy for max reliability).

You can configure server redundancy for each VPN client individually, so VPN client 1 could have say 10 or more (depends on NVRAM limits rather than an OpenVPN configuration limitation i.e. short DNS names or IPs) different servers defined, so if the VPN 1 connection is interrupted it should automatically use the next or random VPN ISP server from the list.
Are you saying here that what I described in my previous post cannot be done as the way I described, but it can be done all within one client?

I just want to make clear how I define things in case your definition is different, so that we know we are talking about the same things:
Client or OpenVPN client: the Merlin FW have the option of configuring 5 clients.
Server: in each client one can upload the files for one server from the VPN provider you use.
My conclusion: by setting up one (of the five) OpenVPN clients, you are setting up connection, or a tunnel, from your router to one of the servers of your VPN provider.

Further I also thought that these OpenVPN clients are prioritized (as you mentioned in an earlier post, but I probably have misunderstood) so that if all clients are UP, the highest priority one is the only one that is in use.

So, again, can I set up redundancy by having several VPN provider servers in backup somehow? If not by the way of several OpenVPN clients which I described in the beginning, then how?
 

Frunk

New Around Here
https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

"The Asuswrt-Firmware supports up to five OpenVPN Clients running concurrently. OpenVPN Client 1 has a higher priority than OpenVPN Client 2. OpenVPN Client 2 has a higher priority than OpenVPN Client 3 and so on. From my experience, If you have more than one OpenVPN client active, you must configure the router’s IP address to use the WAN interface. If you are using more than one OpenVPN Client, you only have to add the router’s IP address entry in the OpenVPN Client screen with the highest priority. For most people, this will be the OpenVPN Client 1 screen.
Defining the router’s IP address to use the WAN interface and the priorities of the OpenVPN Clients is the first place to look if you experience issues with Policy Rules or traffic is not going where you expect it to."

According to this article, running 5 concurrent OpenVPN clients is possible. Also it seems one have to add the:
Router 192.168.1.1 0.0.0.0 WAN
...for just one of the OpenVPN clients, not all?
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top