KILLMON KILLMON v1.0 -Nov 29, 2022- IP4/IP6 VPN Kill Switch Monitor & Configurator

Viktor Jaep

Very Senior Member
KILLMON v1.0
Released November 29, 2022

Executive Summary: KILLMON is a shell script (using the same look & feel of VPNMON-R2, RTRMON and PWRMON) that provides additional VPN kill switch capabilities outside of the VPN kill switch functionality that is currently integrated into the Asus-Merlin Firmware. KILLMON builds on the excellent kill switch script originally provided by @eibgrad, and provides a user interface to help monitor, enable, or disable kill switch operations, as well as allowing you to choose how to implement the kill switch for both IP4 and IP6 traffic. Currently, KILLMON provides traffic kill modes for 3 different scenarios...
  1. Paranoid mode - All LAN traffic is forbidden from using the current WAN interface
  2. IP Range mode - All LAN traffic within specified IP Range is forbidden from using the current WAN interface
  3. Single IP mode - All LAN traffic on specified IP is forbidden from using the current WAN interface
In each instance, a valid VPN tunnel must be up and running for traffic to make it out to the internet, preventing any possible traffic leaks while a VPN tunnel is down, thus the necessity for a kill switch.

IMPORTANT NOTE: Many VPN kill switches do not consider IP6, or recommend just completely disabling IP6 on the router itself. KILLMON may very well be one of the first kill switches that both embraces and kills the sh*t out of unwanted IP6 traffic when your VPN connection goes down. Please note that if IPv6 is enabled on your router and are using a kill switch of any kind that does not specifically block IP6, any and all traffic that utilizes IPv6 addressing will be leaking traffic around your IP4 VPN tunnel over your WAN when it goes down.

REQUIREMENTS:
* You must have "JFFS custom scripts" turned on from the router UI, and have Entware installed (easiest way is through AMTM)

LIMITATIONS:
* There seems to be an incompatibility with the x3mrouting script. Apparently there seems to be a competition on startup. @ComputerSteve found a workaround by not enabling "Reboot Protection" in KILLMON.

KILLMON is free to use under the GNU General Public License version 3 (GPL 3.0).

This project is hosted on GitHub

Changelog here | What's new: Initial release!

Screenshots:
Running with both IPv4 and IPv6 enabled
killmon-0.3-main.jpg


Running with IPv6 disabled at the router level:
1668561770471.png


KILLMON is designed to work standalone to provide protection with whatever VPN setup you choose to use... but it does integrate nicely with VPNMON-R2, and will display current protection stats on the main VPNMON-R2 UI:

vpnmon-r2-2.37b2-main.jpg


IMPORTANT: A big component of any kill switch is its ability to survive a reboot and make sure rules are in place as the firewall starts back up again. The "Reboot Protection" component is just that. When enabling this, it will write a command into your /jffs/scripts/firewall-start file, and upon reboot, will populate the IP4/IP6 iptables with the necessary rules you have configured!

I'm definitely looking for your feedback... what works, what doesn't... what else would you like to see. But all-in-all, as good ideas come up for things to possibly add, very much a WIP (work-in-progress). ;)
 
Last edited:

Viktor Jaep

Very Senior Member

How is this script supposed to run?​

I would recommend running this script in its own SSH window from a PC that's connected directly to the Asus router. It's not meant to run continuously, as you would just run it to check on kill switch status, or to make modifications to the kill switch rules. Instructions:
  1. Download using your favorite SSH tools, copy & paste this command:
    Code:
    curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/KILLMON/master/killmon-1.0.sh" -o "/jffs/scripts/killmon.sh" && chmod a+rx "/jffs/scripts/killmon.sh"
  2. Configure it using this command:
    Code:
    sh /jffs/scripts/killmon.sh -setup
  3. Run it standalone in an SSH window with this command:
    Code:
    sh /jffs/scripts/killmon.sh -monitor
  4. To make it even easier, simply execute the script name with the commandline switch, like so:
    Code:
    killmon -setup
    -or-
    killmon -monitor
    -or you can just run by just typing in the script name itself-
    killmon
    etc...
Do I need to configure anything?

You can enter the setup screen with the command 'killmon.sh -setup' or by hitting the "s" key in the main UI:
killmon-0.3-setup.jpg


First time setup will guide you on installing any Entware dependencies. Enjoy! Stay safe!! :)
 
Last edited:

ComputerSteve

Senior Member
So this is working great !! The only thing is for me that using this with x3mrouting seems to only work when I don't enable reboot protection - Reboot Protection" component is just that. When enabling this, it will write a command into your /jffs/scripts/firewall-start file, and upon reboot, will populate the IP4/IP6 iptables with the necessary rules you have configured!

If I leave this feature disabled & instead use a bad config on client 5 with auto start enabled at boot it functions perfectly. Meaning if I stop a client now the kill switch is on and the devices in the range I configured in your script cant connect to wan. Then when I turn them back on it works and the clients can connect even having x3mrouting rules applied. Wish there was a way reboot protection could work when x3mrouting is installed but i'm fine with just doing that make shift auto start client 5 with a bad config to keep the clients disconnected at reboot.
 

SomeWhereOverTheRainBow

Part of the Furniture
KILLMON v0.3 (Preview)
Released November 13, 2022

Executive Summary: KILLMON is a shell script (using the same look & feel of VPNMON-R2, RTRMON and PWRMON) that provides additional VPN kill switch capabilities outside of the VPN kill switch functionality that is currently integrated into the Asus-Merlin Firmware. KILLMON builds on the excellent kill switch script originally provided by @eibgrad, and provides a user interface to help monitor, enable, or disable kill switch operations, as well as allowing you to choose how to implement the kill switch for both IP4 and IP6 traffic. Currently, KILLMON provides traffic kill modes for 3 different scenarios...
  1. Paranoid mode - All LAN traffic is forbidden from using the current WAN interface
  2. IP Range mode - All LAN traffic within specified IP Range is forbidden from using the current WAN interface
  3. Single IP mode - All LAN traffic on specified IP is forbidden from using the current WAN interface
In each instance, a valid VPN tunnel must be up and running for traffic to make it out to the internet, preventing any possible traffic leaks while a VPN tunnel is down, thus the necessity for a kill switch.

IMPORTANT NOTE: Many VPN kill switches do not consider IP6, or recommend just completely disabling IP6 on the router itself. KILLMON may very well be one of the first kill switches that both embraces and kills the sh*t out of unwanted IP6 traffic when your VPN connection goes down. Please note that if IPv6 is enabled on your router and are using a kill switch of any kind that does not specifically block IP6, any and all traffic that utilizes IPv6 addressing will be leaking traffic around your IP4 VPN tunnel over your WAN when it goes down.

KILLMON is free to use under the GNU General Public License version 3 (GPL 3.0).

This project is hosted on GitHub

Changelog here | What's new: <coming soon>

Screenshots:
View attachment 45465

KILLMON is designed to work standalone to provide protection with whatever VPN setup you choose to use... but it does integrate nicely with VPNMON-R2, and will display current protection stats on the main VPNMON-R2 UI:

View attachment 45466

IMPORTANT: A big component of any kill switch is its ability to survive a reboot and make sure rules are in place as the firewall starts back up again. The "Reboot Protection" component is just that. When enabling this, it will write a command into your /jffs/scripts/firewall-start file, and upon reboot, will populate the IP4/IP6 iptables with the necessary rules you have configured!

I'm definitely looking for your feedback... what works, what doesn't... what else would you like to see. But all-in-all, as good ideas come up for things to possibly add, very much a WIP (work-in-progress). ;)
Awesome work! You have done it again!
 

Viktor Jaep

Very Senior Member
So this is working great !! The only thing is for me that using this with x3mrouting seems to only work when I don't enable reboot protection - Reboot Protection" component is just that. When enabling this, it will write a command into your /jffs/scripts/firewall-start file, and upon reboot, will populate the IP4/IP6 iptables with the necessary rules you have configured!

If I leave this feature disabled & instead use a bad config on client 5 with auto start enabled at boot it functions perfectly. Meaning if I stop a client now the kill switch is on and the devices in the range I configured in your script cant connect to wan. Then when I turn them back on it works and the clients can connect even having x3mrouting rules applied. Wish there was a way reboot protection could work when x3mrouting is installed but i'm fine with just doing that make shift auto start client 5 with a bad config to keep the clients disconnected at reboot.
Awesome! I'm really glad things are working, and sorry you still have to use the same workaround for the x3mrouting script. There is definitely something in conflict there... If you can still find a moment after x3mrouting has done its thing to run "killmon -protect", then at least you can enjoy a little automation without having to manually get things back in order? Or maybe alter the command to include a sleep statement and making sure it runs after the x3mrouting start up statement? Like this?

Code:
Editing your 'firewall-start' file under /jffs/scripts, add this line:

(sleep 30 && /jffs/scripts/killmon.sh -protect) &
 

ComputerSteve

Senior Member
Awesome! I'm really glad things are working, and sorry you still have to use the same workaround for the x3mrouting script. There is definitely something in conflict there... If you can still find a moment after x3mrouting has done its thing to run "killmon -protect", then at least you can enjoy a little automation without having to manually get things back in order? Or maybe alter the command to include a sleep statement and making sure it runs after the x3mrouting start up statement? Like this?

Code:
Editing your 'firewall-start' file under /jffs/scripts, add this line:

(sleep 30 && /jffs/scripts/killmon.sh -protect) &
Thanks for the suggestion but it didn't work =(... The script works great it seems if I don't add anything to firewall-start.
 

Viktor Jaep

Very Senior Member
Thanks for the suggestion but it didn't work =(... The script works great it seems if I don't add anything to firewall-start.
I will add a note to the requirements/limitations section in the OP that there's an incompatibility with x3mrouting... thanks @ComputerSteve!
 

Viktor Jaep

Very Senior Member
Looking good!

For a future update, I think to make it YazFi compatible all you'll probably need to add wl interfaces to the firewall rules you implement in addition to the br+ stuff
Hey @Jack Yaz ... wanted to let you know that YazFi actually continues working just fine without any issue even with KILLMON rules in place! Whoo! ;)
 

Viktor Jaep

Very Senior Member
Small update to v0.4 today... I figured... why display all the extraneous IPv6 stuff if you have it disabled at the router level? So now the UI adjusts to remove all the IPv6 info if it's already disabled, and just leaves you with everything you need to manage the IPv4 kill switch.

1668561884672.png


Download Link:
Code:
curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/KILLMON/master/killmon-0.4.sh" -o "/jffs/scripts/killmon.sh" && chmod a+rx "/jffs/scripts/killmon.sh"
 

mrf0ster

Occasional Visitor
Thanks Viktor, I will play around with this. appreciate your response to my post earlier
 

Viktor Jaep

Very Senior Member
Thanks Viktor, I will play around with this. appreciate your response to my post earlier
Absolutely! Let me know if I can assist in any way, okay?
 

Ranger802004

Very Senior Member
KILLMON v0.4 (Preview)
Released November 15, 2022

Executive Summary: KILLMON is a shell script (using the same look & feel of VPNMON-R2, RTRMON and PWRMON) that provides additional VPN kill switch capabilities outside of the VPN kill switch functionality that is currently integrated into the Asus-Merlin Firmware. KILLMON builds on the excellent kill switch script originally provided by @eibgrad, and provides a user interface to help monitor, enable, or disable kill switch operations, as well as allowing you to choose how to implement the kill switch for both IP4 and IP6 traffic. Currently, KILLMON provides traffic kill modes for 3 different scenarios...
  1. Paranoid mode - All LAN traffic is forbidden from using the current WAN interface
  2. IP Range mode - All LAN traffic within specified IP Range is forbidden from using the current WAN interface
  3. Single IP mode - All LAN traffic on specified IP is forbidden from using the current WAN interface
In each instance, a valid VPN tunnel must be up and running for traffic to make it out to the internet, preventing any possible traffic leaks while a VPN tunnel is down, thus the necessity for a kill switch.

IMPORTANT NOTE: Many VPN kill switches do not consider IP6, or recommend just completely disabling IP6 on the router itself. KILLMON may very well be one of the first kill switches that both embraces and kills the sh*t out of unwanted IP6 traffic when your VPN connection goes down. Please note that if IPv6 is enabled on your router and are using a kill switch of any kind that does not specifically block IP6, any and all traffic that utilizes IPv6 addressing will be leaking traffic around your IP4 VPN tunnel over your WAN when it goes down.

REQUIREMENTS:
* You must have "JFFS custom scripts" turned on from the router UI, and have Entware installed (easiest way is through AMTM)

LIMITATIONS:
* There seems to be an incompatibility with the x3mrouting script. Apparently there seems to be a competition on startup. @ComputerSteve found a workaround by not enabling "Reboot Protection" in KILLMON.

KILLMON is free to use under the GNU General Public License version 3 (GPL 3.0).

This project is hosted on GitHub

Changelog here | What's new: <coming soon>

Screenshots:
Running with both IPv4 and IPv6 enabled
View attachment 45465

Running with IPv6 disabled at the router level:
View attachment 45522

KILLMON is designed to work standalone to provide protection with whatever VPN setup you choose to use... but it does integrate nicely with VPNMON-R2, and will display current protection stats on the main VPNMON-R2 UI:

View attachment 45466

IMPORTANT: A big component of any kill switch is its ability to survive a reboot and make sure rules are in place as the firewall starts back up again. The "Reboot Protection" component is just that. When enabling this, it will write a command into your /jffs/scripts/firewall-start file, and upon reboot, will populate the IP4/IP6 iptables with the necessary rules you have configured!

I'm definitely looking for your feedback... what works, what doesn't... what else would you like to see. But all-in-all, as good ideas come up for things to possibly add, very much a WIP (work-in-progress). ;)
You should just combine all of your scripts into a big super scripts and call it VIKTORMON lol.
 

Viktor Jaep

Very Senior Member

Viktor Jaep

Very Senior Member
Time to kick this baby bird out of the nest! KILLMON v1.0 is going live today... it's been tested in single/dual-wan scenarios and have been running it non-stop since its preview release with zero issues (much to my family's inconvenience and disappointment). LOL ;) Enjoy!

What's new?
v1.0 - (November 29, 2022)
* MAJOR:
KILLMON v1.0 goes live today!
* CHANGED: Most recent major mod was removing all IPv6 related info in the UI if IP6 is turned off at the router level, and will only display IP4-related settings.
* FIXED: Minor code changes and enhancements to bring it up to the same back-end functional level as VPNMON-R2, RTRMON and PWRMON.

Download link:
Code:
curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/KILLMON/master/killmon-1.0.sh" -o "/jffs/scripts/killmon.sh" && chmod a+rx "/jffs/scripts/killmon.sh"
 

cofetym

Senior Member
Hi! Viktor,

I'm back again and cannot help but tinker some more. I finally have vpnmon-r2 working well. You keep coming up with new features that lures one back in.
How do you add killmon to vpnmon-r2 ? Did I miss this somewhere?

Thanks, Cofetym:)
 

Viktor Jaep

Very Senior Member
Hi! Viktor,

I'm back again and cannot help but tinker some more. I finally have ;) vpnmon-r2 working well. You keep coming up with new features that lures one back in.
How do you add killmon to vpnmon-r2 ? Did I miss this somewhere?

Thanks, Cofetym:)
;) This feature addition is coming soon... It will basically just give you an indicator that killmon is running and enabled within the vpnmon UI. If you've already enabled killmon, it will enforce Killswitch protection no matter what you're running. Once you upgrade to the next version of vpnmon, you'll see it. You can load the beta if you want to play with it?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top