Kill switch + reboot

banr

New Around Here
Hi everybody!
I've just noticed strange behavior of KillSwitch
Automatic start at boot time = Yes
Redirect Internet traffic through tunnel = Yes
Killswitch - Block routed clients if tunnel goes down = Yes
When router reboots then for couple of seconds server can see the real IP address (not VPN server address).
This looks strange. Power can go down suddenly and Killswitch doesn't work in this case.
Regards
 

arpydude

Occasional Visitor
I also have noticed this with the same settings above that kill switch does apply during startup possibly before tunnel is up.

Can vpnmon be used to circumvent this behavior at startup? (proton user)

Would a startup script with a time delay bringing down/up guest-wireless-interfaces work or is it a requirement for tunnels up processes? (multiple yazfi ovpns)

Startup script with time delay blocking then unblocking internet per subnet or macaddress?

Any preferred or working method greatly appreciated.


RT-AC68U--368.7_2--YAZFIv4.4.2--entware
 
Last edited:

Viktor Jaep

Very Senior Member
I also have noticed this with the same settings above that kill switch does apply during startup possibly before tunnel is up.

Can vpnmon be used to circumvent this behavior at startup? (proton user)

Would a startup script with a time delay bringing down/up guest-wireless-interfaces work or is it a requirement for tunnels up processes? (multiple yazfi ovpns)

Startup script with time delay blocking then unblocking internet per subnet or macaddress?

Any preferred or working method greatly appreciated.


RT-AC68U--368.7_2--YAZFIv4.4.2--entware
@banr @arpydude ... In case you wanted to check this method out, KILLMON inserts itself into the firewall-start service event to prevent any unwanted traffic from getting out during a router reboot... it compliments the expected behavior of the kill switch that's built into the Asus-Merlin UI. In conjunction with using VPNMON-R2, it's a pretty tight setup that is blocking anything from getting out when my VPN goes down.
 
Last edited:

arpydude

Occasional Visitor
Thanks for the response.
So if I understand the readme correctly KILLMON drops routing out wan based on all/subnet-range/ip at startup. VPNMON-R2 pings a selected ip address that is only accessible through the vpn and if it fails it restarts all vpns. nice compliment to the whole solution.

round-robin to reconnect to new servers looks very interesting. will look at that after.
kill the Sh** out of IPV6 is nice feature


Just to be clear in yazfi I have ip of 192.168.101.0 and 192.168.102.0 for two wireless guest networks to ovpn1 and ovpn2.
So I'm using different ip guest networks for different Yazfi guest tunnels. From the killmon readme and pictures it appears to only support 1 ip network range. is that correct.

I'm asking this cause I would prefer subnets as opposed to paranoid mode

Setup: Running RT-AC68U--368.7_2--YAZFIv4.4.2--entware. running legacy paltform. Not HND Platform. IPV6 disabled in MerlinUI. entware updated
 

Viktor Jaep

Very Senior Member
Thanks for the response.
So if I understand the readme correctly KILLMON drops routing out wan based on all/subnet-range/ip at startup. VPNMON-R2 pings a selected ip address that is only accessible through the vpn and if it fails it restarts all vpns. nice compliment to the whole solution.

round-robin to reconnect to new servers looks very interesting. will look at that after.
kill the Sh** out of IPV6 is nice feature


Just to be clear in yazfi I have ip of 192.168.101.0 and 192.168.102.0 for two wireless guest networks to ovpn1 and ovpn2.
So I'm using different ip guest networks for different Yazfi guest tunnels. From the killmon readme and pictures it appears to only support 1 ip network range. is that correct.

I'm asking this cause I would prefer subnets as opposed to paranoid mode

Setup: Running RT-AC68U--368.7_2--YAZFIv4.4.2--entware. running legacy paltform. Not HND Platform. IPV6 disabled in MerlinUI. entware updated
If you have 2 simultaneous vpn clients running, then vpnmon-r2 may not be for you. It tries to weed down multiple connections down to just 1 connection to prevent connectivity/routing issues. It sounds like you have a relatively complex environment... props to you!

And yes, unfortunately killmon only supports 1 range at this time. I'm planning on expanding this in the future to allow for more flexibility.

But yeah, it does kill the sh*t out of IPv6! :p
 

arpydude

Occasional Visitor
What I have noticed as the main problem is during a reboot when the guest-wireless comes up it serves the main router lan ip 192.168.1.x and then when tunnels comes up restarts wifi and serves up yazfi 192.168.101.x. I installed killmon with paranoid and reboot mode and it does block outbound when served the 192.168.1.x address at startup. So it worked. Problem is dns over tls goes down on main 192.168.1.x.
 

Viktor Jaep

Very Senior Member
What I have noticed as the main problem is during a reboot when the guest-wireless comes up it serves the main router lan ip 192.168.1.x and then when tunnels comes up restarts wifi and serves up yazfi 192.168.101.x. I installed killmon with paranoid and reboot mode and it does block outbound when served the 192.168.1.x address at startup. So it worked. Problem is dns over tls goes down on main 192.168.1.x.
Perhaps try to create a range that excludes the IP of your router? Under "Paranoid Mode", as soon as a VPN tunnel gets re-established, all traffic would be allowed out over it, including DoT.
 
Last edited:

arpydude

Occasional Visitor
Could not get Killmon to function with Yazfi with multiple ovpn's concurrently running and DOT for main network. I use DOT as my adblocker and is my preferred DNS protocol. lemme know if you make changes and I will help with the testing. I can verify it works great if your only using 1 ovpn. I did not get around to testing vpnmon-r2 but it looked very good.

Updated:
 
Last edited:

Viktor Jaep

Very Senior Member
Could not get it to function with Yazfi and DOT. I use DOT as my adblocker and is my preferred DNS protocol. lemme know if you make changes and I will help with the testing.
Well, I'm using YazFi and DoT as well... and they work fine with killmon. I think the big difference is that all my YazFi guest networks go out over the same (1) VPN connection? Thanks for being willing to test when the time comes! :)
 

arpydude

Occasional Visitor
Well, I'm using YazFi and DoT as well... and they work fine with killmon. I think the big difference is that all my YazFi guest networks go out over the same (1) VPN connection? Thanks for being willing to test when the time comes! :)
I went back and changed my last post after re-reading it cause i found I was rather lacking in description and courtesy. Not the way I thought it came across when i first typed it. I just want to say thank you for your time and effort for creating your scripts and responding to my questions. I'm new with Merlinwrt and I have to say it's very nice and I got up and off the ground rather easy Thanks to everyone. Cheers :)
 

Viktor Jaep

Very Senior Member
I went back and changed my last post after re-reading it cause i found I was rather lacking in description and courtesy. Not the way I thought it came across when i first typed it. I just want to say thank you for your time and effort for creating your scripts and responding to my questions. I'm new with Merlinwrt and I have to say it's very nice and I got up and off the ground rather easy Thanks to everyone. Cheers :)
Absolutely, @arpydude... no offense taken whatsoever! :) I'm glad you're having fun and diving into the scripts already! Cheers backatcha! :)
 

arpydude

Occasional Visitor
I went back and changed my last post after re-reading it cause i found I was rather lacking in description and courtesy. Not the way I thought it came across when i first typed it. I just want to say thank you for your time and effort for creating your scripts and responding to my questions. I'm new with Merlinwrt and I have to say it's very nice and I got up and off the ground rather easy Thanks to everyone. Cheers :)
I can never write anything or correct things correctly. I just noticed i left out the offer to help test it on my update of the post. SMH. Yes I am definitely willing to help out with any testing necessary.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top