It actually doesn't matter if you're running a VPN or not. If you have enabled killmon, it will block all traffic going out through the WAN for the specific IP address, IP range, or even all local IPs on your network... Once a VPN connection becomes available, traffic would flow again. If you need certain devices to get out no matter what, I would probably utilize the range feature, so you can exclude some (like the Local IP TV service) from getting onto the WAN if your VPN goes down.As I understand it, a client under killmon cannot access WAN for some local services (with VPN director) while connected to VPN. For example the local IP TV service. Even if this is not possible, it is still a very good job, thank you!
Unless someone chimes in otherwise... from what I've been able to find with iptables, if you use the IP - IP notation, it seems like it can only be within a /24. However, if you go with CIDR, then it looks like you could go beyond the /24, as I've seen examples of /16 and whatnot.
I think you are on to something
.
curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/KILLMON/master/killmon.sh" -o "/jffs/scripts/killmon.sh" && chmod 755 "/jffs/scripts/killmon.sh"
That's good news for the people who think a killswitch should be exactly what it says..
That's the plan... for multiple ranges, multiple single IPs, mix of both, IPv4/IPv6... should be awesome when completed!
Victor can I run the following curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/KILLMON/master/killmon-0.4.sh" -o "/jffs/scripts/killmon.sh" && chmod a+rx "/jffs/scripts/killmon.sh" from somewhere in my Asus RT-AX88u router? I am a noviceKILLMON v1.1.2
Released February 29, 2024
Executive Summary: KILLMON is a shell script that provides additional VPN kill switch capabilities outside of the VPN kill switch functionality that is currently integrated into the Asus-Merlin Firmware. KILLMON builds on the excellent kill switch script originally provided by @eibgrad, and provides a user interface to help monitor, enable, or disable kill switch operations, as well as allowing you to choose how to implement the kill switch for both IP4 and IP6 traffic. Currently, KILLMON provides traffic kill modes for 3 different scenarios...
In each instance, a valid VPN tunnel must be up and running for traffic to make it out to the internet, preventing any possible traffic leaks while a VPN tunnel is down, thus the necessity for a kill switch.
- Paranoid mode - All LAN traffic is forbidden from using the current WAN interface
- IP Range mode - All LAN traffic within specified IP Range is forbidden from using the current WAN interface
- Single IP mode - All LAN traffic on specified IP is forbidden from using the current WAN interface
IMPORTANT NOTE: Many VPN kill switches do not consider IP6, or recommend just completely disabling IP6 on the router itself. KILLMON may very well be one of the first kill switches that both embraces and kills the sh*t out of unwanted IP6 traffic when your VPN connection goes down. Please note that if IPv6 is enabled on your router and are using a kill switch of any kind that does not specifically block IP6, any and all traffic that utilizes IPv6 addressing will be leaking traffic around your IP4 VPN tunnel over your WAN when it goes down.
REQUIREMENTS:
* You must have "JFFS custom scripts" turned on from the router UI, and have Entware installed (easiest way is through AMTM)
LIMITATIONS:
* There seems to be an incompatibility with the x3mrouting script. Apparently there seems to be a competition on startup. @ComputerSteve found a workaround by not enabling "Reboot Protection" in KILLMON.
KILLMON is free to use under the GNU General Public License version 3 (GPL 3.0).
This project is hosted on GitHub
Latest update notes available here
Changelog here | What's new: Now available in AMTM!, Minor fix, Initial release!
Screenshots:
Running with both IPv4 and IPv6 enabled
View attachment 47386
Running with IPv6 disabled at the router level:
View attachment 47387
IMPORTANT: A big component of any kill switch is its ability to survive a reboot and make sure rules are in place as the firewall starts back up again. The "Reboot Protection" component is just that. When enabling this, it will write a command into your /jffs/scripts/firewall-start file, and upon reboot, will populate the IP4/IP6 iptables with the necessary rules you have configured!
I'm definitely looking for your feedback... what works, what doesn't... what else would you like to see. But all-in-all, as good ideas come up for things to possibly add, very much a WIP (work-in-progress).
Hi @audioquest ... The easiest thing to do is to open up an SSH command prompt, and just type:
curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/KILLMON/master/killmon.sh" -o "/jffs/scripts/killmon.sh" && chmod 755 "/jffs/scripts/killmon.sh"PuTTY requires you to create a profile containing your router IP address, port and optionally router username and password. Once you've made a connection, you would be able to enter commands.
Thank You!
Victor, IP range in setup - 192.168.1.50-192.168.1.60 My IP range is different , using different subnet
You can change it to your needs!
Like this?
Thanks for your assistance, I just couldn't get it to work. I setup, specified ip4 range, turned off service state, still able to access internet.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!
