Redirect Internet traffic through tunnel VPN Director (policy rules) Problem

[eibgrad]

I did not know that I could provide a subnet when selection in the drop down in the . When I selected OPVN1 it displayed the IP's that were connected to the router. I selected my computer's ip and saved. Still allowed access to the internet when client was turned off.

I need to start from the beginning and go from there, this way I will be able to provide logs when vpn is enabled disabled and validate if access to the internet stops when not enabled

You have *never* made it clear what the issue is here.

NOW you seem to be concerned about the kill switch. If you want to use the VPN Director to route specific devices over the VPN, then you can do so as I explained, either on a per-device basis (e.g., 192.168.11.100) or the entire network (192.168.11.0/24). Once you do, then the firewall-based kill switch (i.e., my script) will block those devices from the WAN. However, as I clearly stated in the documentation (see point #5), since the VPN Director is NOT using the firewall for the purposes of the kill switch, any changes you make to the VPN Director rules while using my kill switch script requires a reboot! That will cause the firewall to be reinitialized and reset the scripts own firewall rules.

 

[audioquest]

You have *never* made it clear what the issue is here.

NOW you seem to be concerned about the kill switch. If you want to use the VPN Director to route specific devices over the VPN, then you can do so as I explained, either on a per-device basis (e.g., 192.168.11.100) or the entire network (192.168.11.0/24). Once you do, then the firewall-based kill switch (i.e., my script) will block those devices from the WAN. However, as I clearly stated in the documentation (see point #5), since the VPN Director is NOT using the firewall for the purposes of the kill switch, any changes you make to the VPN Director rules while using my kill switch script requires a reboot! That will cause the firewall to be reinitialized and reset the scripts own firewall rules.

Thanks, what I thought was when selecting VPN Director rules/policy WAN 192.168.11.0/24 , all devices in the subnet would be blocked, but I could still access the internet when I turned off the VPN client. I thought you said or someone else who commented in the thread when selecting WAN, devices would not be blocked, but reading your last comment they should be blocked. I had no problems when VPN Director rules/policy WAN 192.168.11.0/24 until I powered off the router and restarted after replacing LAN cable between routers. That's when everything stopped working in the case I wasn't clear

 

[eibgrad]

Again, whatever you want routed over the VPN *must* use the VPN's network interface (OVPN1, OVPN2, etc.) in the rule. This has NOTHING to do w/ the kill switch. The kill switch is separate process that examines what you specified for rules that route over the VPN, then creates corresponding firewall rules to block those same IPs from the WAN.

The purpose of allowing the WAN network interface w/ policy rules is if you want to intentionally *force* something over the WAN, in spite of any other rules that are intended to route over the VPN. IOW, any WAN rules take precedence over VPN rules.

My overall impression is you don't have anything wrong here, other than your understanding about how all this works. Hopefully now you do.

 

[audioquest]

Again, whatever you want routed over the VPN *must* use the VPN's network interface (OVPN1, OVPN2, etc.) in the rule. This has NOTHING to do w/ the kill switch. The kill switch is separate process that examines what you specified for rules that route over the VPN, then creates corresponding firewall rules to block those same IPs from the WAN.

The purpose of allowing the WAN network interface w/ policy rules is if you want to intentionally *force* something over the WAN, in spite of any other rules that are intended to route over the VPN. IOW, any WAN rules take precedence over VPN rules.

My overall impression is you don't have anything wrong here, other than your understanding about how all this works. Hopefully now you do.

To make sure I understand, there is no need to setup a rule in the VPN director? if only wanting to use the kill switch, or am I still not getting it or just blame it my PTSD

 

[eibgrad]

You're conflating the issue of how clients are routed w/ the kill switch. You have to keep those separated in your mind.

The purpose of the VPN Director is to instruct the router in how clients show be routed wrt the VPN(s). Anything NOT specifically having a rule to route it over the VPN, gets routed over the WAN. It's also possible to specifically route something over the WAN because it's possible you decide to route, say 192.168.11.0/24 over VPN #1, but want to make an exception for 192.168.11.100.

192.168.11.100 WAN
192.168.11.0/24 OVPN1

If it wasn't for that exception over the WAN, 192.168.11.100 would routed over the VPN, like everything else on the 192.168.11.0/24 network.

The kill switch is a completely separate matter. For any policy rule that routes something over the VPN, the script will *block* that same thing over the WAN (192.168.11.0/24 in the above example). IOW, once you tell the VPN Director to route something over the VPN, the kill switch makes sure that's the *only* path to the internet. And if you change the policy rules, you need to reboot the router so the script can re-adjust itself to those changes.

 

[audioquest]

You're conflating the issue of how clients are routed w/ the kill switch. You have to keep those separated in your mind.

The purpose of the VPN Director is to instruct the router in how clients show be routed wrt the VPN(s). Anything NOT specifically having a rule to route it over the VPN, gets routed over the WAN. It's also possible to specifically route something over the WAN because it's possible you decide to route, say 192.168.11.0/24 over VPN #1, but want to make an exception for 192.168.11.100.

192.168.11.100 WAN
192.168.11.0/24 OVPN1

If it wasn't for that exception over the WAN, 192.168.11.100 would routed over the VPN, like everything else on the 192.168.11.0/24 network.

The kill switch is a completely separate matter. For any policy rule that routes something over the VPN, the script will *block* that same thing over the WAN (192.168.11.0/24 in the above example). IOW, once you tell the VPN Director to route something over the VPN, the kill switch makes sure that's the *only* path to the internet. And if you change the policy rules, you need to reboot the router so the script can re-adjust itself to those changes.

Thank You