KILLMON KILLMON v1.1.2 -Feb 29, 2024- IP4/IP6 VPN Kill Switch Monitor & Configurator (Now available in AMTM!)

[Viktor Jaep]

Thanks for your assistance, I just couldn't get it to work. I setup, specified ip4 range, turned off service state, still able to access internet.

What does your KILLMON configuration look like, what does your VPN configuration look like, and what is the IP of the PC accessing the Internet, and how is it setup?

 

[audioquest]

What does your KILLMON configuration look like, what does your VPN configuration look like, and what is the IP of the PC accessing the Internet, and how is it setup?

I unistalled, I will reinstall tomorrow and provide you with info requested. Does the usb always need to be connected to the router, and it's okay to take snapshots of my setup and post?

 

[audioquest]

I unistalled, I will reinstall tomorrow and provide you with info requested. Does the usb always need to be connected to the router, and it's okay to take snapshots of my setup and post?

My VPN provider is NordVPN redirect traffic (exclusive) VPN directory policy rules - 192.168.11.0/24) Interface OVPN1 Nordvpn Local IP 192.168.11.11

 

[Viktor Jaep]

I unistalled, I will reinstall tomorrow and provide you with info requested. Does the usb always need to be connected to the router, and it's okay to take snapshots of my setup and post?

I would keep the environment stable... meaning, yes... keep your usb connected, entware installed, swapfile active, JFFS partition enabled... etc. Necessary if you want to properly run scripts.

My VPN provider is NordVPN redirect traffic (exclusive) VPN directory policy rules - 192.168.11.0/24) Interface OVPN1 Nordvpn Local IP 192.168.11.11

Would probably need some more info... screenshots on how you've configured everything. KILLMON working fine on this end with similar settings.

 

[audioquest]

I would keep the environment stable... meaning, yes... keep your usb connected, entware installed, swapfile active, JFFS partition enabled... etc. Necessary if you want to properly run scripts.

Would probably need some more info... screenshots on how you've configured everything. KILLMON working fine on this end with similar settings.

I tested the following - kill $(ps | grep [v]pnclient1 | awk '{print $1}') which did kill the VPN and did not allow access to the internet, so at least for now under certain anomalies it worked. I will try again over the weekend. Thanks for your help.

 

[Viktor Jaep]

I tested the following - kill $(ps | grep [v]pnclient1 | awk '{print $1}') which did kill the VPN and did not allow access to the internet, so at least for now under certain anomalies it worked. I will try again over the weekend. Thanks for your help.

Sliding the on/off switch to the off position under your VPN client in the UI would do the same thing... you should see similar results.

 

[audioquest]

Sliding the on/off switch to the off position under your VPN client in the UI would do the same thing... you should see similar results.

When sliding off , I am still allowed internet access

 

[Viktor Jaep]

When sliding off , I am still allowed internet access

There's a lot of variables here... is Killmon showing all green? What range(s) are you using? Is the device you're browsing from part of the IP range that should be denied? Have you tried single IP vs. range vs. paranoid mode? Are you making other changes to your iptables after killmon has already made its changes with other scripts? Are you using IPv6? Is IPv6 blocking enabled in Killmon?

 

[audioquest]

There's a lot of variables here... is Killmon showing all green? What range(s) are you using? Is the device you're browsing from part of the IP range that should be denied? Have you tried single IP vs. range vs. paranoid mode? Are you making other changes to your iptables after killmon has already made its changes with other scripts? Are you using IPv6? Is IPv6 blocking enabled in Killmon?

IP4 local 192.168.11.11 range 192.168.1.0/24 I also tried using ip of my pc and that did not work when . I will need to reinstall.
IP4 was green, only , I even tried a range 192.168.11.100 192.168.11.200 when I turned off vpn, still had access

 

[audioquest]

IP4 local 192.168.11.11 range 192.168.1.0/24 I also tried using ip of my pc and that did not work when . I will need to reinstall.
IP4 was green, only , I even tried a range 192.168.11.100 192.168.11.200 when I turned off vpn, still had access

If you manually turn off the VPN, will Killmon prevent all access to the internet.

 

[audioquest]

Sliding the on/off switch to the off position under your VPN client in the UI would do the same thing... you should see similar results.

when you have time would you please provide me a snapshot what Killmon needs to look like for the script to work.

 

[Viktor Jaep]

IP4 local 192.168.11.11 range 192.168.1.0/24 I also tried using ip of my pc and that did not work when . I will need to reinstall.
IP4 was green, only , I even tried a range 192.168.11.100 192.168.11.200 when I turned off vpn, still had access

OK... this is probably why you're not having much luck.

If you've configured KILLMON to use the range 192.168.1.0/24, then it's expecting any address that falls between 192.168.1.1 - 192.168.1.254 to get blocked if the VPN goes down. If your client is on 192.168.11.11, then that's a completely different subnet than what KILLMON is expecting to see.

If your router is using IP 192.168.11.1... and your client is using 192.168.11.11... then you need to configure KILLMON to use range 192.168.11.0/24.

Same reasoning for using the range 192.168.11.100 - 192.168.11.200... it's going to block all IPs between that range. But if your client is 192.168.11.11, then you fall outside that range, and will be able to browse even if the VPN goes down.

So try this... just use the Single IP mode for now to test... then expand when you're comfortable. Don't even connect your VPN. Leave it off. Set the Single IP to your local client PC - 192.168.11.11.... then run "sm" to enable the Single IP Mode. Once enabled, see if you can get to the internet. If you're sure you aren't using IPv6 as well, then you should be blocked. If you can still browse, then either IPv6 is on (pc, router, etc.), or you have bigger problems to deal with on your end.

If you manually turn off the VPN, will Killmon prevent all access to the internet.

Yes... the only way to get to the internet would be with a functional VPN client that has successfully connected. All other traffic would be denied from getting out over the WAN.

when you have time would you please provide me a snapshot what Killmon needs to look like for the script to work.

Here you go:

 

[audioquest]

OK... this is probably why you're not having much luck.

If you've configured KILLMON to use the range 192.168.1.0/24, then it's expecting any address that falls between 192.168.1.1 - 192.168.1.254 to get blocked if the VPN goes down. If your client is on 192.168.11.11, then that's a completely different subnet than what KILLMON is expecting to see.

If your router is using IP 192.168.11.1... and your client is using 192.168.11.11... then you need to configure KILLMON to use range 192.168.11.0/24.

Same reasoning for using the range 192.168.11.100 - 192.168.11.200... it's going to block all IPs between that range. But if your client is 192.168.11.11, then you fall outside that range, and will be able to browse even if the VPN goes down.

So try this... just use the Single IP mode for now to test... then expand when you're comfortable. Don't even connect your VPN. Leave it off. Set the Single IP to your local client PC - 192.168.11.11.... then run "sm" to enable the Single IP Mode. Once enabled, see if you can get to the internet. If you're sure you aren't using IPv6 as well, then you should be blocked. If you can still browse, then either IPv6 is on (pc, router, etc.), or you have bigger problems to deal with on your end.

Yes... the only way to get to the internet would be with a functional VPN client that has successfully connected. All other traffic would be denied from getting out over the WAN.

Here you go:

View attachment 56993

Thanks, I want to make sure I'm explain my setup correctly I have attached my lan ip

 

[audioquest]

Thanks, I want to make sure I'm explain my setup correctly I have attached my lan ip

Also, when I specified 192.168.11.0/24 as the ip4 range it stated that it was incorrect value. R1 192.168.11.0.24 and when asked for ending range I just hit enter. Also, when using Putty to access router SSH, how do you gracefully exit the script once you completed setup.

 

[Viktor Jaep]

Also, when I specified 192.168.11.0/24 as the ip4 range it stated that it was incorrect value. R1 192.168.11.0.24 and when asked for ending range I just hit enter. Also, when using Putty to access router SSH, how do you gracefully exit the script once you completed setup.

OK... so your router is 192.168.11.11... What is the client PC's IP address that you are testing with? This is what you want to change the Single IP to... don't include your router in this mix.

When you enter the "r1" range... it asks you if you want to enter it in CIDR or IP Range format.

If you choose "0" (CIDR format)... then you would enter "192.168.11.0/24"

If you choose "1" (IP Range format)... then you would enter "192.168.11.1" for the start, and "192.168.11.254" for the end.

Also, when using Putty to access router SSH, how do you gracefully exit the script once you completed setup.

Just type "exit"

 

[audioquest]

OK... so your router is 192.168.11.11... What is the client PC's IP address that you are testing with? This is what you want to change the Single IP to... don't include your router in this mix.

When you enter the "r1" range... it asks you if you want to enter it in CIDR or IP Range format.

If you choose "0" (CIDR format)... then you would enter "192.168.11.0/24"

If you choose "1" (IP Range format)... then you would enter "192.168.11.1" for the start, and "192.168.11.254" for the end.


View attachment 56997


Just type "exit"

It worked see attached, much appreciated that you took the time to help me. One Question regarding Enable/Disable Kill Switch Rules on Router/Firewall restart, how do I know it enabled, also what would happen if I removed the usb from the for some reason I wasn't seeing all the options that the script uses. That was my problem

 

[Viktor Jaep]

It worked see attached, much appreciated that you took the time to help me. One Question regarding Enable/Disable Kill Switch Rules on Router/Firewall restart, how do I know it enabled, also what would happen if I removed the usb from the for some reason I wasn't seeing all the options that the script uses. That was my problem

Good deal! I would still change your "Single IP" value to something other than your Router IP. Use like an internal workstation that you can enable for testing if you needed to.

You would be able to find a start command under your /jffs/scripts/firewall-start file... as soon as your router restarts and the firewall starts, so do the killmon killswitch commands.

If you take out your USB, you may cripple killmon. It requires entware which is located on your USB drive. Try to find something reliable yet cheap, and keep it hooked up.

 

[audioquest]

Good deal! I would still change your "Single IP" value to something other than your Router IP. Use like an internal workstation that you can enable for testing if you needed to.

You would be able to find a start command under your /jffs/scripts/firewall-start file... as soon as your router restarts and the firewall starts, so do the killmon killswitch commands.

If you take out your USB, you may cripple killmon. It requires entware which is located on your USB drive. Try to find something reliable yet cheap, and keep it hooked up.

I'll change the IP to my PC. Thank You so much for taking the time to guide me thru the setup.

I still don't understand
rr : Disable and Reverse ALL Kill Switch Rules from iptables means so what state it's in

 

[Viktor Jaep]

I'll change the IP to my PC. Thank You so much for taking the time to guide me thru the setup.

Absolutely!

I still don't understand
rr : Disable and Reverse ALL Kill Switch Rules from iptables means so what state it's in

This basically backs out all the changes from your firewall iptables, and puts it back the way it was. Basically disables Killmon... which may be necessary at times.

 

[audioquest]

Absolutely!


This basically backs out all the changes from your firewall iptables, and puts it back the way it was. Basically disables Killmon... which may be necessary at times.

Viktor, do you have a script that would notify you if Killmon encounters a problem or stops working?