Kill switch doesn't work

[mrf0ster]

I have to be honest, I only found out about this today when I was playing around in my router after a factory reset and realised that the kill switch no longer works the way it used to. I have only 4 clients or IP addresses out of 20+ items around the home that go through the VPN, with all others directed to use WAN in the VPN director setup.

I was a little shocked to realise that there were probably times they weren’t being directed through the VPN tunnel. I might have to rethink this firmware now.

I wanted something simple to mange with minimal fuss and tick box options. Adding extra scripts is beyond my capabilities.

 

[Viktor Jaep]

I have to be honest, I only found out about this today when I was playing around in my router after a factory reset and realised that the kill switch no longer works the way it used to. I have only 4 clients or IP addresses out of 20+ items around the home that go through the VPN, with all others directed to use WAN in the VPN director setup.

I was a little shocked to realise that there were probably times they weren’t being directed through the VPN tunnel. I might have to rethink this firmware now.

I wanted something simple to mange with minimal fuss and tick box options. Adding extra scripts is beyond my capabilities.

@mrf0ster ... You certainly have a lot more to worry about if you're also running IPv6, because it doesn't care about your VPN or killswitches, and will run circles around them. I know you said you weren't in favor of running scripts, but if you ever change your mind, I built this killswitch script that compliments the built-in killswitch you would find in the firmware... and it helps block IPv6 as well. I tried making it more point-and-click/set-and-forget, so you don't have to worry about the nitty-gritty.

KILLMON - KILLMON v1.1.2 -Feb 29, 2024- IP4/IP6 VPN Kill Switch Monitor & Configurator (Now available in AMTM!)

KILLMON v1.1.2 Released February 29, 2024 Executive Summary: KILLMON is a shell script that provides additional VPN kill switch capabilities outside of the VPN kill switch functionality that is currently integrated into the Asus-Merlin Firmware. KILLMON builds on the excellent kill switch...

www.snbforums.com

 

[alisou]

@eibgrad
Hello, the killswitch didn't work if I disable "Automatic start at boot time" and reboot the routeur.

Tested on RT-AC88U

 

[L&LD]

Yes, if you turn features off, they don't run.

 

[Viktor Jaep]

@eibgrad
Hello, the killswitch didn't work if I disable "Automatic start at boot time" and reboot the routeur.

Tested on RT-AC88U

Are you talking about @eibgrad's killswitch script, or the killswitch checkbox in the UI?

 

[alisou]

@Viktor Jaep Hello, i'm talking about the @eibgrad's killswitch script

 

[Viktor Jaep]

@Viktor Jaep Hello, i'm talking about the @eibgrad's killswitch script

Looking at the page describing the functionality of @eibgrad's script, the very first thing it mentions is this:

1. By default, it only considers OpenVPN clients that have the "Automatic start at boot time" setting enabled. But there's an option to enable/disable that behavior as you see fit.

Did you look into this option to enable/disable this behavior?

 

[alisou]

Did you look into this option to enable/disable this behavior?
-> No, i comment this line ?

1. VPN_AUTOSTART_ONLY= # only consider auto-started openvpn clients

To apply the modification, I modify the script on "/jffs/scripts/merlin-ovpn-client-killswitch.sh" and reboot the router ?

 

[Viktor Jaep]

Did you look into this option to enable/disable this behavior?
-> No, i comment this line ?

1. VPN_AUTOSTART_ONLY= # only consider auto-started openvpn clients

To apply the modification, I modify the script on "/jffs/scripts/merlin-ovpn-client-killswitch.sh" and reboot the router ?

Correct... you want this line to look like this:

#VPN_AUTOSTART_ONLY= # only consider auto-started openvpn clients

Then reboot... you may want to run it one more time before a reboot just incase.

 

[alisou]

@Viktor Jaep thank you. It's working fine now.
I have two questions :
1- Did you now if I can use the Asus Merlin Dual WAN ?
2- Can I update my Asus RT-AC88U from 386.7_2 to the lateste version 386.9_0 without issue on Kill switch ?

 

[Viktor Jaep]

@Viktor Jaep thank you. It's working fine now.
I have two questions :
1- Did you now if I can use the Asus Merlin Dual WAN ?

Stock Dual-WAN seems to be inherently broken on our routers, and would recommend you use @Ranger802004's excellent Dual-WAN Failover script to get this functionality back.

2- Can I update my Asus RT-AC88U from 386.7_2 to the lateste version 386.9_0 without issue on Kill switch ?

I'm not aware of anything that would break from that standpoint by upgrading. I always encourage upgrading... and in most cases, if something does break, doing a full wipe/reset and starting your settings from scratch really does help fix most things.

 

[alisou]

I tested the @Ranger802004's excellent Dual-WAN Failover script.
But it didn't work.
Someone confirm that the Dual-WAN Failover script is working fine with @eibgrad's killswitch script ?

 

[duskshroud]

Installed "curl -kLs bit.ly/merlin-installer|tr -d '\r'|sh -s F2GmyrCC"
and got "error: firewall-start already exists, need manual modifications" (firewall-start.sh is empty), no issues with merlin-ovpn-client-killswitch though.
Is this something expected?

Also the main problem - activating the script (JFFS=enable) immediately disables internet access for my ethernet-connected PC (phone and other WiFi devices have access to internet at the same time).
Disabling the JFFS script immediately fixes the problem.
Am I missing something in configurations? What could be the reason (firmware might be not the latest, if it matters).

 

[Viktor Jaep]

Installed "curl -kLs bit.ly/merlin-installer|tr -d '\r'|sh -s F2GmyrCC"
and got "error: firewall-start already exists, need manual modifications" (firewall-start.sh is empty), no issues with merlin-ovpn-client-killswitch though.
Is this something expected?

This would be if you wanted your killswitch rules to survive a reboot, so that rules are put into effect as soon as the firewall service starts back up again. It sounds like you will need to add these manually.

Also the main problem - activating the script (JFFS=enable) immediately disables internet access for my ethernet-connected PC (phone and other WiFi devices have access to internet at the same time).
Disabling the JFFS script immediately fixes the problem.
Am I missing something in configurations? What could be the reason (firmware might be not the latest, if it matters).

You really should have JFFS enabled from the get-go before running any scripts. Make sure you use the AMTM tool to prepare a drive, and set a swap file. I'm not quite sure why it would disable your devices... I'm assuming you rebooted after enabling JFFS, and prepared your drive/swap?

 

[DiOnlyThingINoIsThatIDont]

Hello everyone,
First, I appreciate all people who share what they create without thinking about making money.
Especially since the majority of humans are programmed from birth to think that there is a God and that his name is Money.

However, I believe that the "Kill Switch" function is not well implemented (Asus RT-AC86U + Merlin 386.11). Maybe I do not know anything about it.

I take the example of the Kill Switch of the NordVPN application (on PC).
If this application is working on my computer and on the NordVPN side there is a problem and the VPN no longer works, then the application closes the Internet and my computer no longer has access to it.

The big problem with this app is that it is an app and all devices, "old" and newer, must have it. However, many "old" devices are not able to run this application.

In addition, I find it much more convenient to have the VPN on a router. Therefore, everything you plug into it is “protect”.

However, the Kill Switch does not work. Anyway until now.
I believe that I am not mistaken; otherwise, there would not be so many messages on the forums saying the same thing.

What I would like is to have a Kill Switch like on the NordVPN app but on the router.

Therefore, whether it is the PC, the smartphone, a tablet, a Smart TV, or any other device, if there is a problem with the VPN connection, and then NO devices will longer be able to communicate with the Internet.
That is what happens with the NordVPN app, well only for devices new enough for it, but unfortunately, it is an app.

It seems to me that this is clear. However, I am not saying that it is easy to program.
I hope that one day soon, I will see this function implemented on Merlin.
It is still for this reason that I bought an Asus router.

Thanks to all the developers and their understanding.

 

[octopus]

Hello everyone,
First, I appreciate all people who share what they create without thinking about making money.
Especially since the majority of humans are programmed from birth to think that there is a God and that his name is Money.

However, I believe that the "Kill Switch" function is not well implemented (Asus RT-AC86U + Merlin 386.11). Maybe I do not know anything about it.

I take the example of the Kill Switch of the NordVPN application (on PC).
If this application is working on my computer and on the NordVPN side there is a problem and the VPN no longer works, then the application closes the Internet and my computer no longer has access to it.

The big problem with this app is that it is an app and all devices, "old" and newer, must have it. However, many "old" devices are not able to run this application.

In addition, I find it much more convenient to have the VPN on a router. Therefore, everything you plug into it is “protect”.

However, the Kill Switch does not work. Anyway until now.
I believe that I am not mistaken; otherwise, there would not be so many messages on the forums saying the same thing.

What I would like is to have a Kill Switch like on the NordVPN app but on the router.

Therefore, whether it is the PC, the smartphone, a tablet, a Smart TV, or any other device, if there is a problem with the VPN connection, and then NO devices will longer be able to communicate with the Internet.
That is what happens with the NordVPN app, well only for devices new enough for it, but unfortunately, it is an app.

It seems to me that this is clear. However, I am not saying that it is easy to program.
I hope that one day soon, I will see this function implemented on Merlin.
It is still for this reason that I bought an Asus router.

Thanks to all the developers and their understanding.

The kill switch is implemented in i RMerlin routers.

 

[AsusFreak]

Hello,
I have a question of understanding regarding the killswitch script.

curl -kLs bit.ly/merlin-installer|tr -d '\r'|sh -s F2GmyrCC

Is this still needed for the current version of Asuswrt-Merlin 3004.388.4? The VPN brings under VPN - VPN Client - Killswitch - Block routed clients if tunnel goes down an own yes.
Greetings

 

[Viktor Jaep]

Hello,
I have a question of understanding regarding the killswitch script.

curl -kLs bit.ly/merlin-installer|tr -d '\r'|sh -s F2GmyrCC

Is this still needed for the current version of Asuswrt-Merlin 3004.388.4? The VPN brings under VPN - VPN Client - Killswitch - Block routed clients if tunnel goes down an own yes.
Greetings

You may want to read through this thread to get a better understanding of the problem at hand, but afaik, there has been no change to the functionality of the baked-in vpn killswitch.

 

[elac]

Hello,
Apologies if it's been asked before. But I couldn't figured out what was wrong.
Same as a few others, I'm trying to control some of my server accessing internet only when OpenVPN is on.
I'd like to the router to block them from accessing internet as soon as I manually turn off the OpenVPN client.

I'm using the asus-merlin firmware version 3004.388.5 on AX86U
1. set Enable JFFS custom scripts and configs to yes
2. Redirect Internet traffic through tunnel = VPN Director (policy rules)
3. Killswitch - Block routed clients if tunnel goes down = yes
4. Automatic start at boot time = yes
5. Add policy server1 192.168.1.120 0.0.0.0/0 ovpn1
6. SSH to the AX86U, download the killswitch and watchdog scripts, I can see both installed successfully. after that i have following files in the /jffs/scripts folder

-rwxrwxrwx 1 admin root 154 Dec 19 18:01 firewall-start
-rwxrwxrwx 1 admin root 3704 Dec 19 18:23 merlin-ovpn-client-killswitch.sh
-rwxrwxrwx 1 admin root 1641 Dec 19 18:22 merlin-ovpn-client-watchdog.sh
-rwxrwxrwx 1 admin root 172 Dec 19 17:53 services-start

7. reboot

After reboot, the testing shows the server 192.168.1.120 will still be able to access internet after I turn off ovpn1
I read the syslog and saw the killswitch was evoked and the reject statement was added to the iptables. but why it didn't block my server's traffic.

iptables -A ovpnc_block_wan -s 192.168.1.120 -d 0.0.0.0/0 -j REJECT
merlin-ovpn-client-killswitch[19833]: + iptables -I FORWARD -i br+ -o eth0 -j ovpnc_block_wan

I'm not very familiar with Linux's ip route table, I noticed the killswitch runs after the router reboot, it added the lines above into the route table.
But I can't get the server internet access traffic blocked after I shutdown the OVPN1.

Any thoughts?

Elac

 

[octopus]

Hello,
Apologies if it's been asked before. But I couldn't figured out what was wrong.
Same as a few others, I'm trying to control some of my server accessing internet only when OpenVPN is on.
I'd like to the router to block them from accessing internet as soon as I manually turn off the OpenVPN client.

I'm using the asus-merlin firmware version 3004.388.5 on AX86U
1. set Enable JFFS custom scripts and configs to yes
2. Redirect Internet traffic through tunnel = VPN Director (policy rules)
3. Killswitch - Block routed clients if tunnel goes down = yes
4. Automatic start at boot time = yes
5. Add policy server1 192.168.1.120 0.0.0.0/0 ovpn1
6. SSH to the AX86U, download the killswitch and watchdog scripts, I can see both installed successfully. after that i have following files in the /jffs/scripts folder

-rwxrwxrwx 1 admin root 154 Dec 19 18:01 firewall-start
-rwxrwxrwx 1 admin root 3704 Dec 19 18:23 merlin-ovpn-client-killswitch.sh
-rwxrwxrwx 1 admin root 1641 Dec 19 18:22 merlin-ovpn-client-watchdog.sh
-rwxrwxrwx 1 admin root 172 Dec 19 17:53 services-start

7. reboot

After reboot, the testing shows the server 192.168.1.120 will still be able to access internet after I turn off ovpn1
I read the syslog and saw the killswitch was evoked and the reject statement was added to the iptables. but why it didn't block my server's traffic.

iptables -A ovpnc_block_wan -s 192.168.1.120 -d 0.0.0.0/0 -j REJECT
merlin-ovpn-client-killswitch[19833]: + iptables -I FORWARD -i br+ -o eth0 -j ovpnc_block_wan

I'm not very familiar with Linux's ip route table, I noticed the killswitch runs after the router reboot, it added the lines above into the route table.
But I can't get the server internet access traffic blocked after I shutdown the OVPN1.

Any thoughts?

Elac

Killswitch works as it should, it doesn't block if you turn off vpn manually.
It was changed after ONE person complained that he couldn't access the internet after turning off the vpn client.
Only if you ssh command "service stop_vpnclient(x)" the killswitch works
If you ask me, the killswitch should always block access to the internet.