KILLMON KILLMON v1.1.2 -Feb 29, 2024- IP4/IP6 VPN Kill Switch Monitor & Configurator (Now available in AMTM!)

[Viktor Jaep]

Killswitch doesn't affect digital radio / internet radio (Hardware!) + Shoot 1 Guest Wifi out of the air!

If I manually kick out the VPN my laptop can not connect, my iPhone either, both behave as it should as there is this kill switch working. After about a minute the VPN does automatic reconnect by VPNMON, as it should. After that, webpages are back online. I just noticed (after all evening playing around) that my internet radio was playing music (nice smooth jazz) all the time! How?!?!?! Same wifi.

Well, thats a strange behavior isn't it? Can connect to a new station immediately (so not a buffer thing) FlexQoS is on. Might be the problem? Although I noticed, after switch on the killmon in the first place better not make changes in any VPN configuration. Seems make problems too. at least for a few seconds full internet access till next reset and start of VPNMON. But what me really concerns is that internet radio was playing all the time. Ok, it was a forced vpn shut down. Might behave different when there is a real connection problem. But u might have a look on that. Maybe the problem is that the radio was playing all day and can connect even during startup before the vpn/VPNMON/KILLMON starts?

Well, anyone noticed the same behavior?

And it shoot away one (just one!) of the guest wifi 2,4GHz (even disapeard in the guest wifi menu in asus!) (but not the others and no 5GHz at all) very very strange. State remained trough a reboot. I shut down KILLMON by rr. Guestnetwork back online! Back in Menu as well.

anyone noticed the same behavior?

well, i wont use it for now (missing a -unistall option, but rm killmon.sh manual)

Regards

What do your VPN director rules look like? And how is killmon configured? Provide some screenshots please? And yes, there definitely could be some conflict with flexqos as it manipulates iptables as well.

 

[igo]

I use only one rule in VPN director. Might be the problem it is only active for VPN1 not for 2-5 !? But it was working fine till now.
Screenshot attached. KILLMON I removed already.
But Configuration was pm + p6 + re (IP6+6 paranoid mode and reboot protection on) and W1 =0 ( WAN 1 not active)

 

[Viktor Jaep]

I use only one rule in VPN director. Might be the problem it is only active for VPN1 not for 2-5 !? But it was working fine till now.
Screenshot attached. KILLMON I removed already.
But Configuration was pm + p6 + re (IP6+6 paranoid mode and reboot protection on) and W1 =0 ( WAN 1 not active)


View attachment 47936

If you are using more than 1 VPN slot, then all your traffic would be going over the WAN if your VPN connects using slots 2-5.

 

[igo]

Actually I dont use VPN director, as I want route anything over vpn. (just saw, sorry previous post was partly wrong)

Configured in VPN the follwoing: Yes (all) --> means not use VPN director.
(Even there was one rule configured, it wasnt active. And the VPN routing did do its job, till this tryout. Always had VPN IP in dnsleaktest.)

Can that be the problem? Does Killmon need VPN director routing?

Update: Just had a vpn failure and could see my real IP on dnsleaktest.com, with this configuration --> means that "Asus Killswitch" shown in the picture is not working at all. VPNMON working fine, just did a new dial in. Perfect, great job!

 

[Viktor Jaep]

Actually I dont use VPN director, as I want route anything over vpn. (just saw, sorry previous post was partly wrong)

Configured in VPN the follwoing: Yes (all) --> means not use VPN director.
(Even there was one rule configured, it wasnt active. And the VPN routing did do its job, till this tryout. Always had VPN IP in dnsleaktest.)

Can that be the problem? Does Killmon need VPN director routing?

View attachment 47940

No, it doesn't need VPN Director to operate. It's very simple. In paranoid mode, it simply restricts all traffic to get out over the WAN, and will require a working VPN connection to get to the internet. That includes PCs, iphones and your internet radio.

But at this point, it seems pointless to guess as you no longer have a working model to allows us to troubleshoot this. If all traffic was rejected when the killswitch was on while VPN was down, except for your internet radio, there has got to be more there, as these iptables rules don't make exceptions. There's a whole slew of variables we would need to look at, ranging from the configuration of your router, vpn clients, killmon, your internet radio, flexqos (and would probably need to work with @dave14305 to get a better understanding how it interacts with possible conflicting iptables rules)... and doing some deepdives to see what your devices are connecting to.

 

[igo]

No, it doesn't need VPN Director to operate. It's very simple. In paranoid mode, it simply restricts all traffic to get out over the WAN, and will require a working VPN connection to get to the internet. That includes PCs, iphones and your internet radio.

But at this point, it seems pointless to guess as you no longer have a working model to allows us to troubleshoot this. If all traffic was rejected when the killswitch was on while VPN was down, except for your internet radio, there has got to be more there, as these iptables rules don't make exceptions. There's a whole slew of variables we would need to look at, ranging from the configuration of your router, vpn clients, killmon, your internet radio, flexqos (and would probably need to work with @dave14305 to get a better understanding how it interacts with possible conflicting iptables rules)... and doing some deepdives to see what your devices are connecting to.

yeah right!

But maybe someone else will notice his internet radio too continue to play or has similar problems. Just let us know.

Thanks

 

[Viktor Jaep]

yeah right!

But maybe someone else will notice his internet radio too continue to play or has similar problems. Just let us know.

Thanks

I have pandora, and youtube music... they both stop playing when I lose my VPN connection with the killswitch enabled. So there's that?

 

[Viktor Jaep]

Minor release today to help fix a situation where killmon was not in sync with its settings in the config and firewall-start file after an uninstall/reinstall. Enjoy!

What's new?
v1.05 - (February 20, 2023)
* FIXED: Fixed some of the logic when it came to killmon being out of sync with the contents of the firewall-start file and its accompanying killmon.cfg settings. Thanks to @DAVID LONG for bringing this to my attention. Also fixed the uninstall routine to make sure the firewall-start file has been cleared of its killmon entry.

Download link:

curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/KILLMON/master/killmon-1.05.sh" -o "/jffs/scripts/killmon.sh" && chmod a+rx "/jffs/scripts/killmon.sh"

 

[Viktor Jaep]

Anyone interested?

Maybe they should consider KILLMON.

 

[igo]

Hi Viktor,

did try Killmon again last days. Was working fine now. Without FlexQoS this time.
After a "cold" reboot (power plug out") the NTP did not sync and no script was starting. Log: waiting for NTP sync...
I removed all Killmon rules. reboot. Working fine again. Any suggestions?
Merlin NTP is on it. Toggle redirect of all NTP traffic to ntpMerlin Currently: Disabled. Might be the problem?

 

[Viktor Jaep]

Hi Viktor,

did try Killmon again last days. Was working fine now. Without FlexQoS this time.
After a "cold" reboot (power plug out") the NTP did not sync and no script was starting. Log: waiting for NTP sync...
I removed all Killmon rules. reboot. Working fine again. Any suggestions?
Merlin NTP is on it. Toggle redirect of all NTP traffic to ntpMerlin Currently: Disabled. Might be the problem?

Unfortunately I'm not familiar with ntpMerlin, or how it behaves. This is what a killswitch is meant to do - ie. block all traffic upon a cold startup. It doesn't make exceptions for NTP. I didn't seem to have any issues with my router rebooting and recovering by connecting to a VPN. But I'm sure there's lots of variables that need to be considered in something that is as extreme as this.

 

[igo]

Unfortunately I'm not familiar with ntpMerlin, or how it behaves. This is what a killswitch is meant to do - ie. block all traffic upon a cold startup. It doesn't make exceptions for NTP. I didn't seem to have any issues with my router rebooting and recovering by connecting to a VPN. But I'm sure there's lots of variables that need to be considered in something that is as extreme as this.

yeah I guess ur router is a bit faster than my old RT-AC66U B1... I saw u put a 22 seconds sleep before the Killmon startup in the firewall rules. I might try a few seconds longer sleep next time. so NTP could sync first. But not today anymore.

 

[Viktor Jaep]

yeah I guess ur router is a bit faster than my old RT-AC66U B1... I saw u put a 22 seconds sleep before the Killmon startup in the firewall rules. I might try a few seconds longer sleep next time. so NTP could sync first. But not today anymore.

Let me know how it works out for you! I looked, but I'm not putting in any delays... it just puts this statement in the firewall-start file:

sh /jffs/scripts/killmon.sh -protect & # KillSwitch Monitor

But you could probaby delay it like so:

(sleep 30 && sh /jffs/scripts/killmon.sh -protect) & #KillSwitch Monitor

...but just know, that leaves you exposed, however if it's not a biggie, that's up to you!

 

[Viktor Jaep]

Very excited to share the great news that KILLMON is now being included in AMTM 3.5! Many thanks to @thelonelycoder for his consideration in making this tool available to all AMTM users!

I'm looking forward to continuing to support and enhance this tool!!

 

[salvo]

Hello @Viktor Jaep ,

Just a question about your integration of KILLMON within VPNMON. So far I use separately VPNMON and killswitch script from eibgrad due to VPN director rules usage.

Do you use VPN director rules within KILLMON / VPNMON ? Is there a way to make a configuration in KILLMON / VPNMON as below rules ?

192.168.1.0 no VPN for any remote IPs
192.168.5.0 yes VPN for any remote IPs except 160.* and 194.*

Thanks

 

[Viktor Jaep]

Hello @Viktor Jaep ,

Just a question about your integration of KILLMON within VPNMON. So far I use separately VPNMON and killswitch script from eibgrad due to VPN director rules usage.

Do you use VPN director rules within KILLMON / VPNMON ? Is there a way to make a configuration in KILLMON / VPNMON as below rules ?

192.168.1.0 no VPN for any remote IPs
192.168.5.0 yes VPN for any remote IPs except 160.* and 194.*

Thanks

Great question, @salvo ... in the case of KILLMON, I am not using VPN Director rules, unlike Eibgrad's script... mine are broken down into 3 categories: (1) anything and everything, (2) a sequential IP range, or (3) a single IP. I have plans on developing this further to allow for more variations.

In your case, you could probably get away with the IP range option in KILLMON, using 192.168.5.1 - 192.168.5.159... I guess, as long as you don't have any other clients dispersed through .160 and up? You would probably also want to ensure your DHCP is set for 1-159 as well, just to prevent exceptions from going outside that range.

 

[Clark Griswald]

@Viktor Jaep
I laughed when I read your post, because I thought you were posting a New Feature, and not what you posted. You are so expeditious at doing so much with your coding skills, and I thought "dang", and in 15 minutes.
Big Thank You For All Your Assistance To These Forums!

 

[Viktor Jaep]

@Viktor Jaep
I laughed when I read your post, because I thought you were posting a New Feature, and not what you posted. You are so expeditious at doing so much with your coding skills, and I thought "dang", and in 15 minutes.
Big Thank You For All Your Assistance To These Forums!

Lol, I'm not that quick! You're very welcome...

 

[salvo]

Great question, @salvo ... in the case of KILLMON, I am not using VPN Director rules, unlike Eibgrad's script... mine are broken down into 3 categories: (1) anything and everything, (2) a sequential IP range, or (3) a single IP. I have plans on developing this further to allow for more variations.

In your case, you could probably get away with the IP range option in KILLMON, using 192.168.5.1 - 192.168.5.159... I guess, as long as you don't have any other clients dispersed through .160 and up? You would probably also want to ensure your DHCP is set for 1-159 as well, just to prevent exceptions from going outside that range.

Thanks for the quick respons, maybe I wasn't clear at the beginning.

The 160* and 194* are remote IP addresses, not local network, i.e. my use case is that I want to have COREELEC behind the VPN, but at the same time some COREELEC app needs access to IP addresses that are blocked by NORD VPN for some reason (I have asked nord vpn to whitelist them, but so far it hasn't happened).

 

[Viktor Jaep]

Thanks for the quick respons, maybe I wasn't clear at the beginning.

The 160* and 194* are remote IP addresses, not local network, i.e. my use case is that I want to have COREELEC behind the VPN, but at the same time some COREELEC app needs access to IP addresses that are blocked by NORD VPN for some reason (I have asked nord vpn to whitelist them, but so far it hasn't happened).

Gotcha... In that case, it may be better to continue using eibgrads script since it does handle those exclusions better. I frankly haven't been able to wrap my head around that - eibgrad is a wiz, and started with wanting to keep KILLMON as simple and straightforward as possible. I will be planning on being able to allow for more ranges or more single IPs in the future, and I'll see where I get on taking VPN director into consideration.