ip rule
ip route show table main
ip route show table ovpnc1
ip route show table ovpnc2
ip route show table ovpnc3
ip route show table ovpnc4
ip route show table ovpnc5
As always thoroughly explained.Each OpenVPN client manages its own routing table (ovpnc1, ovpnc2, etc.). When the OpenVPN client gets connected to the OpenVPN server, it installs the VPN as the default gateway in its own routing table (as opposed to the main routing table, which always has the WAN as its default gateway). IP rules are then created and managed to control what does and doesn't use those alternative routing tables. The router monitors the OpenVPN client connection, and should it fail for any reason, replaces its default gateway w/ a "prohibit default" route. This denies all further access to a default gateway (VPN or WAN) by those bound to that OpenVPN client unless and until the OpenVPN connection is reestablished.
IOW, it's all driven by the routing system, NOT the firewall.
If you want to see it in action, you can dump/monitor the following data structures from SSH.
Code:ip rule ip route show table main ip route show table ovpnc1 ip route show table ovpnc2 ip route show table ovpnc3 ip route show table ovpnc4 ip route show table ovpnc5
Purposely kill one of the OpenVPN client processes w/ the kill command (use the ps command to find the PID (process ID)), and you'll see the VPN gateway immediately replaced w/ the "prohibit default" route.
Is it 100% reliable? According to some, no. Or at least NOT everyone has been totally happy with it. For those users, I created an alternative kill switch based on the firewall.
Kill switch doesn't work
It seems to me kill switch stopped working for me. I had 386.1.x FW and noticed after router reboot that my OpenVPN client is down and despite I had setting to prevent client access to Internet when VPN is down, client still had access to Internet. I could not make kill switch work so updated to...www.snbforums.com
As I've said many times, I still strongly recommend using the built-in killswitch unless and until it proves to be a problem. Many ppl use it w/o issue. But for those that do, you might want to consider the script.
P.S. I've also created a watchdog script to accompany it (still useful even if you use the built-in killswitch).
asus rt-ax88u vpn director not connected right after reboot
Hello, i have installed latest asuswrt merlin on asus rt-ax88 router. I have installed a vpn connection as vpn client with openvpn protocol. When i reboot the router or take it from power, vpn director shows vpn connected status but it is not connected and i have no internet connection. Always...www.snbforums.com
Thanks for the explanation.
Let me give you a little more information what I want to achieve.
I have an upstream ISP Router (192.168.2.0/24).
My Asus(Merlin) Router (192.168.3.0/24) is connected to that ISP Router.
Devices connected to this Asus Router should only! use the OpenVPN connection for internet access.
The devices connected to any of my routers should be able to communicate with each other.
I already had a router running dd-wrt for this setup.
Just a few IPtables rules satisfied all my needs.
It looked like this:
iptables -I FORWARD -o `nvram get wan_iface` -m state --state NEW -j DROP
iptables -I FORWARD -o `nvram get wan_iface` -d 192.168.2.0/24 -m state --state NEW -j ACCEPT
iptables -I FORWARD -s 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -i tun1 -m state --state NEW -j DROP
iptables -I INPUT -i tun1 -m state --state NEW -j DROP
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
So my question would be:
What is the easiest way to achieve this in a Merlin Router?
At the moment I have switched off the firewall (which is just iptables, right?) in Merlin completely.
Enabled my VPN tunneling all internet traffic through the VPN with the merlin killswitch enabled.
So what would be the easiest way to implement the rules shown above?
Also this:
`nvram get wan_iface`
does not seem to work in Merlin.
Thanks for your help!
It's not the ISPs local Ip network. Its my local IP network that is used by my local devices that are plugged into the ISP router.The only thing that *won't* work w/o your intervention is having devices on the ISP's local IP network initiate connections into ASUS router's IP network, since the WAN denies all such access by default. But I'm not even sure this is something you need. I'm suspicious you *believe* you need it due to the killswitch. But if you use the built-in kill switch, this will *only* deny access to the internet, NOT the upstream local IP network of the ISP's router.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!