Kill switch doesn't work

[bluecat]

Thank you for explaining the Firewall. After enabling it, I was able to achieve the full outcome. If VPN is down or deactivated, the specific client now gets fully blocked. Before this was not working for me with only the Killswitch script. But in combination with the firewall everything works like I want.

In summary, I have activated the following:
- VPN/VPN-Client -> Killswitch
- VPN Director: added the specific IP
- Installed the script from @eibgrad
- Enabled the firewall
Additionally, I came aware of the watchdog script by @eibgrad and installed it too.

Not sure if all of this is necessary, but this way it's working for me and the client is always blocked if he don't have an VPN connection. Thank you for all the help.

 

[orangepie]

Do I need to disable anything on router's UI (like set "Enable Firewall" to "No" or set "Networks Service Filter" to "No") so that those UI settings do not interfere with the script? Or maybe enable?

What's the easiest way to make sure the script is running? Any chance that the vpn tunnel is already on, but the script is not enabled yet?

 

[eibgrad]

Do I need to disable anything on router's UI (like set "Enable Firewall" to "No" or set "Networks Service Filter" to "No") so that those UI settings do not interfere with the script? Or maybe enable?

The script should work whether or NOT you uses Network Services Filter for other purposes. Of course, the firewall has to be enabled in order for the script to work since it adds its own firewall rules to those already generated by the router.

What's the easiest way to make sure the script is running? Any chance that the vpn tunnel is already on, but the script is not enabled yet?

By default, the script enables debugging, and will therefore record its actions and any errors to the syslog, which you can dump w/ the following command from ssh.

grep firewall-start /tmp/syslog.log

You can also dump the changes the script makes to the firewall w/ the following commands.

iptables -vnL FORWARD
iptables -vnL ovpn_block_wan

 

[hudsd]

After 1-2 years I found this thread. I have also this issue and solved it by using a very old version of WRTMerlin. But I don't want to stay on the old version anymore, so I installed the new version again. I forgot why I don't installed the newest version, so everything was fine. But then I know what was the issue why I used always the old version. I got an IP leak while using a vpn. I do not understand why the developer did this. Sure he made a statement, but tbh its too much I do not understand. It make no sense to me to have a option with a kill switch and then the kill switch is not working.

Then I installed the script of @eibgrad but I think I have problemes with it. My Nextcloud on my homeserver is reachable via web, but the server itself do not have any internet connection. On the VPN Director I route the IP through WAN and not VPN. I think this is a problem. But I don't know how to fix this. I am using the newest script version and only uncomment the line with "FW_STATE='-m state --state NEW'".

Also I run a wireguard server on a local maschine and after the upgrade of my router I can't connect. But all ports are still open. This make no sense and I think I will use the version from 1-2 again, because killswitch is not working and my vpn server.

 

[macster2075]

Go back to that link I referenced and you'll find the following.

curl -kLs bit.ly/merlin-installer|tr -d '\r'|sh -s F2GmyrCC

That will download the script, execute it, and create a file called /jffs/scripts/firewall-start, which you can then edit (if necessary) w/ the nano editor. Once you do, you can reboot and the firewall will automatically be configured appropriately to implement the kill switch (provided you followed the rest of the instructions in that link).

Thank you eibgrad. If I want to remove the script later, how can I do that?

 

[alisou]

Hello,
Thank you very much @eibgrad.
The script work fine on RT-AC88U with Asus Merlin Firmware Version:386.7_2.
Did you know how to stop using the script ?

Because I think that script did'nt work with Dual WAN options.
Tested with WAN (first) and LAN1 (second). And only second WAN is working.

Thank you.

 

[macster2075]

I've been doing some testing and the script works well, but I've noticed that if there is no Active/enabled VPN, there is no internet at all. Is this by design?
I thought the script was to disable Internet access when there's a connectivity issue on the VPN. If I completely disable the VPN, I get no connection.

 

[L&LD]

Seems it's by design. The router/script doesn't (can't?) know if the VPN is actually down or if you have disabled it yourself.

 

[SomeWhereOverTheRainBow]

Seems it's by design. The router/script doesn't (can't?) know if the VPN is actually down or if you have disabled it yourself.

True, there are certain spots where router/script doesn't have a very good handle on, or indication of when the event actually occurs.

 

[macster2075]

Thanks guys. The script works well and it does what I wanted the kill switch to do which is to “kill” the connection when the VPN is down for ANY reason.

I just have to remember to uninstall the script if I ever want to stop using a VPN, otherwise I won’t have internet lol

 

[Stephen Harrington]

@eibgrad

I've just come across this thread in the last couple of days and I now have your clever script installed and working great. Thanks!
I only have one client machine going through my NordVPN connection and now if I manually stop the OVPN Client it successfully cuts connectivity, just like the "old Merlin" used to work.

I have noted however in my testing today that it only seems to have effect on the Primary WAN?

I run Dual-WAN (Failover/Fallback) mode and have a 4G USB stick active as WAN1, for use as emergency connectivity if my main connection goes down.
This is then enhanced with the brilliant combination of the wan-failover script from @Ranger802004 and the vpnmon-r2 script from @Viktor Jaep - this gives me a very reliable setup at present.

I'd like to enhance this further by using your script, or maybe a modified version, to ideally "killswitch" the VPN if I'm failed over to the WAN1 USB stick.
This is basically to limit 4G data usage, which is limited and relatively expensive here in Australia.

My aim being - if I've got a big download/upload going on my single VPN client device (routed as per VPN Director), a Synology NAS, I'd like its connectivity to be blocked/stopped if I'm failed over and vpnmon-r2 has stopped the VPN (which it already does as an option in the betas I'm testing with @Viktor Jaep ).

Ideally your script could operate to block both WAN0 and WAN1, but failing a modified version that even just blocks when on WAN1 also be helpful.

Thanks in advance for your time and consideration, and any info greatly appreciated.

 

[salvo]

Hello @eibgrad ,

I was notified about your solution and seems to be promising according to feedback here however I am not able to make the script running correctly..

I did install this script as advised (I have to manually added commands to firewall-start due to the fact it has already existed) and restarted the router several times but it is not blocking internet access when I manually stop the VPN tunnel. I use also Diversion and VPNMON-R2 scripts which runs without any issue, I do not expect to be in collision with these ones.

When I manually stop the tunnel to verify the script is working but still can access the internet, IP address 192.168.1.100 keeps pinging www.google.com.

I do not know what might be the root cause of this, any wrong settings ? Can you point me the direction or if you need more information to understand, I will provide.

This is the log from script startup, seems to be loaded, detail log is attached as file

Oct 21 15:37:08 kernel: cfg80211: Exceeded CRDA call max attempts. Not calling CRDA
Oct 21 16:37:09 hotplug[3307]: USB ext4 fs at /dev/sda1 mounted on /tmp/mnt/sda1
Oct 21 16:37:09 usb: USB ext4 fs at /dev/sda1 mounted on /tmp/mnt/sda1.
Oct 21 15:37:09 kernel: EXT4-fs (sda1): recovery complete
Oct 21 15:37:09 kernel: EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: user_xattr
Oct 21 16:37:09 custom_script: Running /jffs/scripts/post-mount (args: /tmp/mnt/sda1)
Oct 21 15:37:09 kernel: Adding 2097148k swap on /tmp/mnt/sda1/myswap.swp.  Priority:-1 extents:8 across:2351100k
Oct 21 16:37:09 Diversion: Starting Entware and Diversion services on /tmp/mnt/sda1
Oct 21 15:37:10 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Oct 21 15:37:10 firewall-start[3399]: + basename /jffs/scripts/merlin-ovpn-client-killswitch.sh .sh
Oct 21 15:37:10 firewall-start[3399]: + logger -t merlin-ovpn-client-killswitch[3404]
Oct 21 15:37:10 merlin-ovpn-client-killswitch[3404]: + VPN_CLIENTS=1 2 3 4 5
Oct 21 15:37:10 merlin-ovpn-client-killswitch[3404]: + VPN_AUTOSTART_ONLY=
Oct 21 15:37:10 merlin-ovpn-client-killswitch[3404]: + [ ]
Oct 21 15:37:10 merlin-ovpn-client-killswitch[3404]: + nvram get wan0_ifname
Oct 21 15:37:10 rc_service: udhcpc_wan 2738:notify_rc stop_samba
Oct 21 15:37:10 rc_service: udhcpc_wan 2738:notify_rc start_samba
Oct 21 15:37:10 rc_service: waitting "stop_samba" via udhcpc_wan ...
Oct 21 15:37:10 custom_script: Running /jffs/scripts/service-event (args: stop samba)
Oct 21 15:37:10 merlin-ovpn-client-killswitch[3404]: + echo eth0
Oct 21 15:37:10 merlin-ovpn-client-killswitch[3404]: + WAN_IF=eth0
Oct 21 15:37:10 merlin-ovpn-client-killswitch[3404]: + sed s/\s//g /jffs/openvpn/vpndirector_rulelist

This is the script

pristup@RT-AX86U-3E18:/jffs/scripts# pwd
/jffs/scripts
pristup@RT-AX86U-3E18:/jffs/scripts# ls -la
drwxr-xr-x 2 pristup root 0 Oct 21 07:56 .
drwxr-xr-x 15 pristup root 0 Oct 21 07:57 ..
-rw-rw-rw- 1 pristup root 71 Oct 21 07:56 NordVPNRS.txt
-rwxr-xr-x 1 pristup root 73 Oct 13 22:56 dnsmasq.postconf
-rwxrwxrwx 1 pristup root 220 Oct 20 23:44 firewall-start
-rwxrwxrwx 1 pristup root 3705 Oct 20 23:45 merlin-ovpn-client-killswitch.sh
-rwxr-xr-x 1 pristup root 199 Oct 13 23:56 post-mount
-rwxrwxrwx 1 pristup root 99196 Oct 17 15:31 rtrmon.sh
-rwxr-xr-x 1 pristup root 109 Oct 13 22:56 service-event
-rwxr-xr-x 1 pristup root 63 Oct 13 22:56 services-stop
-rwxr-xr-x 1 pristup root 76 Oct 21 07:50 test.firewall-start.backup
-rwxr-xr-x 1 pristup root 209 Oct 13 23:25 unmount
-rwxrwxrwx 1 pristup root 200470 Oct 18 20:08 vpnmon-r2.sh
pristup@RT-AX86U-3E18:/jffs/scripts# cat firewall-start
#!/bin/sh
#set -x # comment/uncomment to disable/enable debug mode
{
/jffs/scripts/merlin-ovpn-client-killswitch.sh
} 2>&1 | logger -t $(basename $0)[$$]
sh /jffs/addons/diversion/type65blocking.div # Added by Diversion
pristup@RT-AX86U-3E18:/jffs/scripts#

Here is my settings

Settings while VPN running, ping to google.com has response

Settings while VPN is not running (manually stopped), ping to google.com has still response

EDIT: it started working once I typed in correct remote IP address in VPN director rule ie. 0.0.0.0/0, it is important to use also CIDR, so final working result in IPTABLE is:

@RT-AX86U-3E18:/tmp/home/root# iptables -L -n -v
..............
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 2827  555K ovpnc_block_wan  all  --  br+    eth0    0.0.0.0/0            0.0.0.0/0            state NEW
 250K  191M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
.............
Chain ovpnc_block_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination
  158 11685 RETURN     all  --  *      *       192.168.1.106        0.0.0.0/0
    0     0 RETURN     all  --  *      *       192.168.1.100        160.218.169.0/24
    0     0 RETURN     all  --  *      *       192.168.1.100        194.228.217.0/24
 2669  543K REJECT     all  --  *      *       192.168.0.0/21       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       192.168.0.0/21       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       192.168.0.0/21       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       192.168.0.0/21       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       192.168.0.0/21       0.0.0.0/0            reject-with icmp-port-unreachable

 

[hudsd]

I just have to remember to uninstall the script if I ever want to stop using a VPN, otherwise I won’t have internet lol

This is not true. You don't need to uninstall the script, when you do not want to use the VPN anymore.
Just add a rule for "192.168.1.0/24" to route through WAN. Then everything works.

 

[Neoony]

The recent change to only activate the killswitch if a client is in an error state is because with the previous implementation, a few users complained that stopping their client killed their entire Internet connection. Whichever way I decide to implement it, someone somewhere will complain that they want it working the other way around. So, I made a design decision to implement it the way it currently is, because this is what I felt is the most logical behaviour.

By all means, if someone is unhappy with how I designed the current implementation, feel free to disable it, and re-implement whichever different behaviour you wish to implement. That's why I implement so many hooks within the system to allow users to completely customize the firewall or the routing tables based on various events, be it firewall restarts or OpenVPN events. But the current implementation is done the way it is because I feel this is the most reliable, and cleanest way to implement it, and which will work for the largest majority of users, as it's the most flexible in some convoluted multi-tunnel setups where people have multiple VPN Director rules to decide what is tied to the tunnel and what isn't.

I'm just tired of getting people complain no matter how I decide to implement it, as every time something changes to satisfy a group of user, another group of users start complaining. So, the current implementation is the way it is, and I have no intention of making any change to this global implementation in the near future.

Just to ask.
But can this not be an option which you can switch on and off?
Especially if there are 2 kinds of people
One want it to turn off kill-switch when they stop VPN
Others want the routed client to NEVER access internet until kill-switch is disabled ( I belong here )

Can it not be an option to change this behavior? Or is there some limitation or design reason?

I rather always expect that when there is VPN killswitch and I turn it on, it should just kill the internet 100% ... whether the VPN is ON or OFF / connected or not

I will be most likely trying the custom scripts, because I want to make sure its NEVER using WAN until I would set the kill-switch to off

Still figuring asuswrt-merlin out
Just came from stock ASUS, because they added VPN Fusion which is awesome for what I need, but I have no idea if it even has a kill-switch and no easy way to test for the kill-switch (just always connected to the internet, until VPN is connected, even with faulty VPN configs)
So I tried merlin, but actually also behaving similarly when I want to test for it (but then now I can use commands/scripts to test it, but just figuring it out right now)
But the options and the UI is 100 times better than stock

Anyways thx for this awesome FW
@eibgrad thx for the scripts

 

[RMerlin]

But can this not be an option which you can switch on and off?

Feature-bloat. Having too many available options only causes confusion and makes it harder to use a product. I prefer to go with an implementation that makes the most sense.

Also more complexity = more chances of introducing hard-to-track bugs, as the number of possible scenarios increases exponentially as you add more features.

 

[Ramlal]

If you disable NAT in your VPN router, it acts as a kill switch. If vpn tunnel goes off, all traffic will stop. No device can access internet.

 

[Ramlal]

Just to ask.
But can this not be an option which you can switch on and off?
Especially if there are 2 kinds of people
One want it to turn off kill-switch when they stop VPN
Others want the routed client to NEVER access internet until kill-switch is disabled ( I belong here )

Can it not be an option to change this behavior? Or is there some limitation or design reason?

I rather always expect that when there is VPN killswitch and I turn it on, it should just kill the internet 100% ... whether the VPN is ON or OFF / connected or not

I will be most likely trying the custom scripts, because I want to make sure its NEVER using WAN until I would set the kill-switch to off

Still figuring asuswrt-merlin out
Just came from stock ASUS, because they added VPN Fusion which is awesome for what I need, but I have no idea if it even has a kill-switch and no easy way to test for the kill-switch (just always connected to the internet, until VPN is connected, even with faulty VPN configs)
So I tried merlin, but actually also behaving similarly when I want to test for it (but then now I can use commands/scripts to test it, but just figuring it out right now)
But the options and the UI is 100 times better than stock

Anyways thx for this awesome FW
@eibgrad thx for the scripts

Bro Just Disable NAT on your VPN router. That’s it. It will kill all traffic if VPN is off For any reason.

 

[PR3MIUM]

Feature-bloat. Having too many available options only causes confusion and makes it harder to use a product. I prefer to go with an implementation that makes the most sense.

Also more complexity = more chances of introducing hard-to-track bugs, as the number of possible scenarios increases exponentially as you add more features.

Kill it all. Thats why Wireguard has for 1 reason a extra KillSwitch, maybe..

 

[guitargeek]

How about adding a 2nd KillSwitch like Wireguard does? Then problem solved and it's not complex.

 

[Viktor Jaep]

If you disable NAT in your VPN router, it acts as a kill switch. If vpn tunnel goes off, all traffic will stop. No device can access internet.

I wanted to dive into this claim a little further... is this true?

I thought that by disabling NAT, instead of packets going out with your public IP, instead they would be going out with your internal private IP scheme (192.168.x)... In that state they shouldn't get very far...

In a normal world you would think your ISP would just block private IPs at the routing layer, but for those in nefarious countries with nefarious ISPs, could they use this info against you and possibly gain more info on you when you were counting on this to be a killswitch?

And also... if NAT is off, would openvpn have any trouble doing DNS lookups, routing, etc. in order to re-establish another (possibly new) VPN server?