VPN Killswitch

[Ramlal]

Some people in countries with more restrictive rights and privileges rely on a "killswitch" to protect themselves from authorities. These are people trying to get outside world information otherwise not allowed in those countries. It's not all about Netflix.

I work as a journalist, if my ip leaks I am fked. I need a bullet proof kill switch.

 

[skeal]

I work as a journalist, if my ip leaks I am fked. I need a bullet proof kill switch.

OVPN is likely the best option at this point for you. Later versions may provide a killswitch for Wireguard. OVPN rules when it comes to a killswich, IMHO.

 

[egc]

If you are really concerned about privacy I also would opt for OpenVPN as WireGuard uses static routing which makes the chance of logging somewhat greater although providers have taken various measusre to mitigate this.
Furthermore OpenVPN can support obfuscation (as add-on and only some providers) although recently it also became available for WireGuard

 

[Smokey613]

Some people in countries with more restrictive rights and privileges rely on a "killswitch" to protect themselves from authorities. These are people trying to get outside world information otherwise not allowed in those countries. It's not all about Netflix.

I understand the need for a secure vpn in certain areas and a killswitch in those circumstance would be a requirement. I am fortunate that I don’t need one….. at this time.

 

[Ramlal]

OVPN is likely the best option at this point for you. Later versions may provide a killswitch for Wireguard. OVPN rules when it comes to a killswich, IMHO.

Currently using ovpn on asus merlin. It’s my dedicated vpn router connected to my primary router for my work related chores. Kill switch is on. But I never trust it. So I have double protection and use vpn client on my laptop too.

I have disabled NAT on my vpn router, So if vpn is down, I don’t get internet connection.

However someone told me by disabling NAT my outgoing packets are still being transmitted not blocked. I am simply not getting incoming packets which reach my primary router and gets terminated there.
Don’t know much about networking. Took few classes for MCSE back in the days, I really didn’t keep up with all these changes in 2 decades.

 

[Rajjco]

But in case of power failure and router reboots after power restoration, don’t wan gets exposed until tunnel is established?

I think if it's under vpndirector the client never uses wan.

I made a python script that auto starts wireguard client upon router reboot might be useful to someone.

import asyncio
from playwright.async_api import async_playwright



async def run(playwright):
    chromium = playwright.chromium # or "firefox" or "webkit".
    browser = await chromium.launch(channel="chrome",headless=True,devtools=False)
    page = await browser.new_page()
    await page.goto("http://RouterIpGoesHere")
    await page.locator("#login_username").fill("admin")
    await page.locator("#login_filed > div.password_gap > input").fill("RouterPasswordGoesHere")
    await page.locator('#login_filed > input').click()
    await page.locator("#Advanced_VPNStatus_menu > table > tbody > tr > td.menu_Desc").click()
    await page.locator("#Advanced_OpenVPNClient_Content_tab > span").click()
    await page.locator("#divSwitchMenu > div:nth-child(3) > a > div").click()
    await page.locator("#apply_btn > input").click()
    await browser.close()

async def main():
    async with async_playwright() as playwright:
        await run(playwright)

asyncio.run(main())

 

[skeal]

I think if it's under vpndirector the client never uses wan.

I made a python script that auto starts wireguard client upon router reboot might be useful to someone.

import asyncio
from playwright.async_api import async_playwright



async def run(playwright):
    chromium = playwright.chromium # or "firefox" or "webkit".
    browser = await chromium.launch(channel="chrome",headless=True,devtools=False)
    page = await browser.new_page()
    await page.goto("http://RouterIpGoesHere")
    await page.locator("#login_username").fill("admin")
    await page.locator("#login_filed > div.password_gap > input").fill("RouterPasswordGoesHere")
    await page.locator('#login_filed > input').click()
    await page.locator("#Advanced_VPNStatus_menu > table > tbody > tr > td.menu_Desc").click()
    await page.locator("#Advanced_OpenVPNClient_Content_tab > span").click()
    await page.locator("#divSwitchMenu > div:nth-child(3) > a > div").click()
    await page.locator("#apply_btn > input").click()
    await browser.close()

async def main():
    async with async_playwright() as playwright:
        await run(playwright)

asyncio.run(main())

The current firmware implantation already starts Wireguard at boot.

 

[Rajjco]

The current firmware implantation already starts Wireguard at boot.

Just checked and It definitely does! I never knew that. I guess my previous installation was bugged due to my 386.7 settings.

 

[Ramlal]

The current firmware implantation already starts Wireguard at boot.

So you don’t need Merlin if you use there stock firmware with vpn fusion?

 

[skeal]

So you don’t need Merlin if you use there stock firmware with vpn fusion?

Yes, @RMerlin didn't make any changes to the Wireguard module or code AFAIR, he just added the function of VPN Director instead of Fusion. Read the release notes from ASUS to be sure.

 

[ZNP_83]

I work as a journalist, if my ip leaks I am fked. I need a bullet proof kill switch.

If this is the case and is indeed as serious and necessary as you say, you need to be using a multilayer approach to this. Perhaps you already are.

What's your compartmentalization look like? What does your network altogether look like? Are you using a VPN on your system, or only on the router? Are you using VMs at all?

For a serious situation where what you are doing and data leaking could compromise your personal safety or freedom, I highly recommend looking into Whonix and Qubes if you haven't already. Good luck.

 

[Ramlal]

If this is the case and is indeed as serious and necessary as you say, you need to be using a multilayer approach to this. Perhaps you already are.

What's your compartmentalization look like? What does your network altogether look like? Are you using a VPN on your system, or only on the router? Are you using VMs at all?

For a serious situation where what you are doing and data leaking could compromise your personal safety or freedom, I highly recommend looking into Whonix and Qubes if you haven't already. Good luck.

For my desktop settings, which I use most- I have a dedicated vpn router and run vpn on my windows too. From there I connect to paperspace virtual desktop and do all my work there.

For phone I use vpn with mobile data and never connect it to my own network. I use public WiFi with NordVPN. which is costing me tons of money in data fees.

 

[Ramlal]

If this is the case and is indeed as serious and necessary as you say, you need to be using a multilayer approach to this. Perhaps you already are.

What's your compartmentalization look like? What does your network altogether look like? Are you using a VPN on your system, or only on the router? Are you using VMs at all?

For a serious situation where what you are doing and data leaking could compromise your personal safety or freedom, I highly recommend looking into Whonix and Qubes if you haven't already. Good luck.

Wow that Whonix is interesting, is it possible on iPads and iPhones?

 

[ZNP_83]

For my desktop settings, which I use most- I have a dedicated vpn router and run vpn on my windows too. From there I connect to paperspace virtual desktop and do all my work there.

For phone I use vpn with mobile data and never connect it to my own network. I use public WiFi with NordVPN. which is costing me tons of money in data fees.

Cool. You're definitely ahead of the curve. And I do agree, the killswitch feature is super important to me, albeit maybe not to the stakes you're relying on it.

I would recommend incorporating TOR, VMs, and other such technology into your workflow if possible. Check out the Whonix forums and a guy named "the grugq" on twitter and elsewhere for some gold standard OPSEC information.

Keep doing what you do.

 

[ZNP_83]

Wow that Whonix is interesting, is it possible on iPads and iPhones?

It is not. It is strictly a computer setup. Don't want to get too off topic in here, but essentially, to become compromised utilizing Whonix, you would require cascading failures or specific nation state targeting. It's not the most modern and pretty setup, and it is a VM so it is good if your host system has some power, but it's far more secure than running a VPN on a desktop and a router. It is for a threat model more in line with what it sounds like you need, not the common person on here talking about VPN usage with Merlin.

I highly, highly recommend reading more into it. It will likely require some tradeoff and adjustment to what you do, but it is worth it.

And it should be understood that even with a VPN active, Mobile tech/communication is still predominantly insecure. The recent info about VPNs on iOS leaking a shirtload of data confirms that. Mobile usage should be kept to a literal minimum if possible, even with a VPN.

 

[Ramlal]

Cool. You're definitely ahead of the curve. And I do agree, the killswitch feature is super important to me, albeit maybe not to the stakes you're relying on it.

I would recommend incorporating TOR, VMs, and other such technology into your workflow if possible. Check out the Whonix forums and a guy named "the grugq" on twitter and elsewhere for some gold standard OPSEC information.

Keep doing what you do.

I like working on iPad if possible. So if I can get bullet proof kill switch on router, I can double VpN with turning another vpn in my iPad and work.

 

[Yota]

Yes! You will need a VPN that provides a kill switch. I also need a kill switch for the security of my IP. You can use ****VPN as I personally use that.

Why resurrect this old thread? Your reply is more like an advertisement.

already reported. @thiggins