Need router VPN kill switch that allows WAN traffic


New Around Here
I want to add a VPN kill switch to my router. The problem is that most of the examples I've seen shut down access to the WAN port.

This is my setup:

modem -> |router1 (open)| Router1.LAN -> Router2.WAN -> |router2 (vpn)|

Router1 is connected to the modem and offers open access. There is a cable from a LAN port on Router1 to the WAN port on Router2. Router2 is running a VPN client.

This is what I have now on Router2:

iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP

It works as a kill switch, but prevents all access to Router1 from Router2. I want to be able to access devices on Router1 from Router2.

Does anyone have any other ideas?


Part of the Furniture
iptables -I FORWARD -i br0 -o $(nvram get wan0_ifname) -j DROP
iptables -I FORWARD -i br0 -d $(nvram get wan0_ipaddr)/$(nvram get wan0_netmask) -j ACCEPT


Part of the Furniture
P.S. I'm assuming you're using AsusWRT/Merlin here (it's the most common option discussed on these forums), but if it's something else, let me know. The specific nvram variables will differ among the various third-party firmwares (dd-wrt, tomato, Merlin, etc.).

For example, dd-wrt would require the following ...
iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -i br0 -d $(nvram get wan_ipaddr)/$(nvram get wan_netmask) -j ACCEPT

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!