OpenVPN killswitch `prohibit` rule not applied via VPN Director / CLI (FW 3004.388.11)

[XxUnkn0wnxX]

Hi all,

I’ve been testing the OpenVPN client “Kill Switch” behavior on Asuswrt-Merlin and I’m seeing inconsistent behavior depending on how the tunnel is started.

Tested on:

• Router: ASUS GT-AX11000
• Firmware: 3004.388.11
• Branch: ubi firmware (NOT ROG build)
• OpenVPN only
• Tested with Policy Rules / VPN Director only
• IPv6 globally disabled on the router

The specific thing I’m tracking is the per-client RPDB rule:

from <ROUTED_CLIENT_LAN_IP> prohibit

Case 1 (works):
When Kill Switch is enabled and the tunnel is started from:

<ROUTER_WEBUI_BASE_URL>/Advanced_OpenVPNClient_Content.asp

…the prohibit rule is installed as expected:

admin@router:/# ip rule | grep <ROUTED_CLIENT_LAN_IP>
10210:  from <ROUTED_CLIENT_LAN_IP> lookup ovpnc1
12211:  from <ROUTED_CLIENT_LAN_IP> prohibit

Case 2 (problem):
If the tunnel is started via:

• VPN Director UI:

  <ROUTER_WEBUI_BASE_URL>/Advanced_VPNDirector.asp

• OR CLI:

admin@router:/# service start_vpnclient1

…then the tunnel can come up / routing can occur, but the kill switch prohibit rule does NOT get applied (i.e. no

from <ROUTED_CLIENT_LAN_IP> prohibit

line).

Verification command:

admin@router:/# ip rule | grep <ROUTED_CLIENT_LAN_IP>

Expected (Kill Switch respected regardless of start method):

10210:  from <ROUTED_CLIENT_LAN_IP> lookup ovpnc1
12211:  from <ROUTED_CLIENT_LAN_IP> prohibit

Observed (when started outside OpenVPN Client page):

10210:  from <ROUTED_CLIENT_LAN_IP> lookup ovpnc1
(no prohibit rule)

Question:

• Is this intended behavior, or a bug/regression?
• If intended: could the kill switch logic be applied consistently regardless of the start path (OpenVPN Client page vs VPN Director toggle vs service start/stop), so routed clients never silently fall back to WAN when Kill Switch is enabled?

Cheers