Redirect Internet traffic, blocking when VPN is down

[erik svensson]

Hi

I use the openVPN client in Merlin to connect to my VPN provider. As with all VPN-services the connection is lost from time to time, and I've been looking for a way to block all traffic when this happens.

The "Block routed clients if tunnel goes down" option under "Redirect Internet traffic" seems to be just what I'm looking for.

After reading the README I though I'd just have to swuitch to "Policy Rules" and add a rule saying that source IP 0.0.0.0 and destination IP 0.0.0.0 should have iface value "VPN". The I enable "Block routed clients if tunnel goes down".

Unfortunately this seems to make nothing go though my VPN (the exact opposite of what I wanted to achieve).

The system log says:

Sep 19 20:15:26 openvpn-routing: Configuring policy rules for client 1
Sep 19 20:15:26 openvpn-routing: Creating VPN routing table
Sep 19 20:15:26 openvpn-routing: Removing route for 0.0.0.0/1 to tun11 from routing tables
Sep 19 20:15:26 openvpn-routing: Removing route for 128.0.0.0/1 to tun11 from routing tables
Sep 19 20:15:26 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Sep 19 20:15:26 openvpn-routing: Completed routing policy configuration
Sep 19 20:15:26 openvpn[5196]: Initialization Sequence Completed

Can I use the "Redirect Internet traffic"- rules to do to

1) Get all connections (wifi and wan) to go through the VPN
2) Block all traffic from the internet if the VPN goes down

If so, what am I doing wrong?

 

[bilboSNB]

Change source to 192.168.1.0/24 or whatever your network is.

 

[erik svensson]

Change source to 192.168.1.0/24 or whatever your network is.

That got it to work, thank you.

One more question for my understanding:

I really want to be sure that anything connected to this particular router stays behind the VPN. Can I be sure that any device connected (via WiFi) to the network will be routed through the VPN (and only the VPN) with with source IP set to 192.168.1.0/24 and with the "Block routed clients if tunnel goes down" setting enabled?

I tried to set source to 192.168.1.0/255, but merlin would not allow me.

The reason I need to be sure is that this WiFi will be given to a guest apartment in my house. This apartment is rented out to students per semester and to tourists during the summer. The tennants have no access to the physical router.

If you, or anyone else, can provide me with additional settings to achieve this, I'd be more than greatful

 

[Calisro]

you need to make an exception in you rules to exclude the router itself if you're going to use the subnet as a sourcw

 

[erik svensson]

Thank you for an answer. Unfortunately i'm a noob here, and doesn't really understand what I'm supposed to do to achieve what I described above. Could you give me some more hints, or maybe point me to where I can read up on this?

My router IP is 192.168.1.1, is it this that should be exluded? Does this mean that it will work if I put in source

192.168.1.0
and
192.168.1.2/255

when I try to do this I get the error message:

192.168.1.2/255 is not a valid IP address!

Again, any help with achieving fail proof way of securing that eny device connected to this router via WiFi goes through the VPN wouold be much appriciaTED

 

[erik svensson]

Ok, after some more looking around, and idle googling I have found the following:

Under:

"Advanced settings/Lan/DHCP server"

I can set IP range. I will keep the current values of 192.168.1.2 - 192.168.1.254

I also found that melin wants the IP-ranges in CIDR notation for policy rules. Through google I found this http://www.ipaddressguide.com/cidr#range and calculated that range 192.168.1.2 - 192.168.1.254 translates to CIDR notation

192.168.1.2/31
192.168.1.4/30
192.168.1.8/29
192.168.1.16/28
192.168.1.32/27
192.168.1.64/26
192.168.1.128/26
192.168.1.192/27
192.168.1.224/28
192.168.1.240/29
192.168.1.248/30
192.168.1.252/31
192.168.1.254/32

I have now added these 13 ranges under "Redirect Internet traffic" with iface VPN.

Have I done this right? Merlin allowed me to set all the ranges, so it looks promising.

If someone could please confirm I have got it right? Again, what I want to achieve is that any device connected to this router shall go though VPN and that internet shall be blocked if the VPN goes down. I have the option "Block routed clients if tunnel goes down" enabled also.

Hopefully I got this and hopefully my idle googling and your help can help someone in a similar situation.

 

[bilboSNB]

you only need 192.168.1.0/24 this covers all ip addresses in the 192.168.1.X network 192.168.1.1 - 192.168.1.254

To exlcude the router itself source 192.168.1.1 dest 0.0.0.0 wan

In terms of clients being blocked if vpn goes down, it SHOULD work if you have that option selected, I personally have had issues with that if I have too many rules.

 

[erik svensson]

you only need 192.168.1.0/24 this covers all ip addresses in the 192.168.1.X network 192.168.1.1 - 192.168.1.254

To exlcude the router itself source 192.168.1.1 dest 0.0.0.0 wan

In terms of clients being blocked if vpn goes down, it SHOULD work if you have that option selected, I personally have had issues with that if I have too many rules.

Thank you very much. It all seem to work with only your two rules.

Just one last question (for my understanding) what would happend if I did not explude the router itself? Would that mean that if the VPN-connection was lost, the router couldn't reach the VPN-server to reconnect and that I would thereby be locked out from the internet?

 

[erik svensson]

Thank you very much. It all seem to work with only your two rules.

Just one last question (for my understanding) what would happend if I did not explude the router itself? Would that mean that if the VPN-connection was lost, the router couldn't reach the VPN-server to reconnect and that I would thereby be locked out from the internet?

Hi agian, it works like a charm still but I'd like to *bump* the last question once more.

It it necessary to exclude the router to get the setup to work? I'm worried about the privacy and it feels like this exclusion could threaten the privacy. For instance I'm planning to set up a DynamicDns service in the router to be able to access a file server behind the router from outside this LAN.

With the router connecting to the ddns service without VPN, will that not expose my real IP to the dynDns provider? Is there any alternatives?

Hope the quesiton(s) make sense.

 

[bilboSNB]

Hi agian, it works like a charm still but I'd like to *bump* the last question once more.

It it necessary to exclude the router to get the setup to work? I'm worried about the privacy and it feels like this exclusion could threaten the privacy. For instance I'm planning to set up a DynamicDns service in the router to be able to access a file server behind the router from outside this LAN.

With the router connecting to the ddns service without VPN, will that not expose my real IP to the dynDns provider? Is there any alternatives?

Hope the quesiton(s) make sense.

There's a topic on the wiki on using vpn ip and dyndns