I’m only interested in the proxy-as-a-kill-switch solution if I can configure the router for both OpenVPN client and socks5 proxy, so I don’t have to configure every app on every computer and device connected to the router.
I’ll mail Mullvad on Monday and ask how to configure a router with their VPN and proxy. I mailed NordVPN and they said they don’t have socks5 proxy as a kill switch, and neither does ProtonVPN. Maybe Mullvad is alone?
Frankly, this is the only time I've heard of an OpenVPN provider providing that option. And it's not an option I've sought out in the past, so I can't comment one way or the other regarding how common it is.
“On a side note, realize that the router does NOT offer a kill switch unless you're using PBR! In that situation, either the proxy or your own kill switch become necessary.”
I don’t understand. Are you saying simply turning on the Merlin built-in kill switch is not enough? Is PBR done in the router or in the apps?
PBR is implemented on the router. You enable it in the OpenVPN client GUI using the "Force Internet traffic through tunnel" option (near the bottom). If you select either Policy Rules or Policy Rules (strict), then it becomes possible to add rules (further below) to define which IPs are routed over the VPN. Anything NOT specified in those rules remains bound to the WAN.
But notice the option "Block routed clients if tunnel goes down" (i.e., the kill switch) only appears when you enable PBR! But suppose you decide you don't need/want PBR, and just want *everything* routed over the VPN (which is the default behavior). In that one particular configuration, the GUI does NOT offer a kill switch! But a kill switch is just as valid and necessary a consideration in that configuration as when using PBR.
IMO, that's a mistake (or at least a shortcoming) in the GUI that needs to be corrected. What other members will tell you to get around the problem is to *always* enable PBR, even if that means explicitly forcing all clients over the VPN (e.g., source IP = 192.168.1.0/24), and thus making the kill switch always available. But the problem w/ that strategy is that PBR necessarily takes the router itself off the VPN, which can be problematic. For example, you can end up w/ a DNS leak if the OpenVPN provider pushes a *public* DNS server rather than one within the same scope as the tunnel! That's why I suggest when NOT using PBR that you add your own kill switch (as I described in my prior post) and thus keep the router itself bound to the VPN.
I’m truly out of my depth when I’m in these snb forums. I understand perhaps 10%-20% of what you people are writing. Pasting code is too difficult for me, since I don’t even know where to insert it and how, but I’ll bookmark your code in case I need it in the future.
I understand your frustration. This stuff can get quite complex. I often wonder how anyone who is NOT in the industry, just your average consumer, could be expected to absorb all of it. And that's why we have a GUI; to simplify things. But inevitably users come along who want something the GUI doesn't offer, or who believe something can be done better (e.g., using a proxy as your kill switch). But that's going to necessarily add complexity to a situation where you may already be overwhelmed. And that's why many ppl are better off to leave well enough alone and take what the router offers.
mullvad.net
