Need router VPN kill switch that allows WAN traffic

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.


New Around Here
I want to add a VPN kill switch to my router. The problem is that most of the examples I've seen shut down access to the WAN port.

This is my setup:

modem -> |router1 (open)| Router1.LAN -> Router2.WAN -> |router2 (vpn)|

Router1 is connected to the modem and offers open access. There is a cable from a LAN port on Router1 to the WAN port on Router2. Router2 is running a VPN client.

This is what I have now on Router2:

iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP

It works as a kill switch, but prevents all access to Router1 from Router2. I want to be able to access devices on Router1 from Router2.

Does anyone have any other ideas?


Very Senior Member
iptables -I FORWARD -i br0 -o $(nvram get wan0_ifname) -j DROP
iptables -I FORWARD -i br0 -d $(nvram get wan0_ipaddr)/$(nvram get wan0_netmask) -j ACCEPT


Very Senior Member
P.S. I'm assuming you're using AsusWRT/Merlin here (it's the most common option discussed on these forums), but if it's something else, let me know. The specific nvram variables will differ among the various third-party firmwares (dd-wrt, tomato, Merlin, etc.).

For example, dd-wrt would require the following ...
iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -i br0 -d $(nvram get wan_ipaddr)/$(nvram get wan_netmask) -j ACCEPT

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!