[RT-BE88U] Kill Switch issue with WireGuard – WAN IP leak

[yaya59]

Hello everyone,

I am experiencing a security issue with the Asus RT-BE88U router (firmware 3006.102.4) when using the built-in WireGuard VPN client.

The native Kill Switch seems ineffective:

It blocks DNS requests,

But the WAN IP address remains exposed as soon as the VPN tunnel drops (manual disconnection or loss of connection with the server).

My goal is clear: to completely block Internet access in the event of a VPN disconnection, whether due to:

A manual disconnection in the interface,

A WireGuard server failure,

Or a momentary Internet outage.

Does anyone have a script, iptables configuration, or stable solution to offer for total blocking (IPv4 + IPv6)?
I am interested in any functional solution that has been tested on this model or similar.

Thank you in advance for your help!

 

[Some1]

The KillMon plugin or configuring iptables should fix this. I haven't used my BE88 in anything other than AP mode for months, but if I recall correctly, the VPN kill switch did work on some stock firmware.

 

[yaya59]

Le plugin KillMon ou la configuration d'iptables devraient résoudre ce problème. Je n'ai pas utilisé mon BE88 autrement qu'en mode AP depuis des mois, mais si je me souviens bien, le kill switch VPN fonctionnait sur certains firmwares d'origine.

Hello,
I'm going to test KillMon. However, concerning iptables rules, I don't know how to block all LAN flow to the WAN when the VPN is down.
I am using the Merlin firmware.
The asus firmware does not block the flow when the vpn is down, it switches to the Wan without blocking.