Hey guys. I'm an absolute begginer in thoses process but i got a problem.
Thing is i want a killswitch for my OPENVPN + Pia but i don't get how to do it.
I heard i could do it with Port fowarding but i can't think of how i'll do it.
So i already get my VPN setup (i think so), when i curl ifconfig.co, i got a new IP when VPN is on and when VPN is off, my public ip is taking place.
So what i want actually is that when the VPN is off, i don't want the public IP taking place and i just want no internet at all.
Can someone explain me how i should do this ? If needed i followed a tutorial of how to make the setup WRT + OPENVPN + PIA but won't share it in case "ads" are not allowed here.
Add a new firewall zone named vpn (or any other short obvious name). Set Input to reject, output to accept, and forward to reject. Check the masquerading box. All these settings are the same as wan.
Move the vpn tunnel device or interface (depending on how you set it up) from the wan zone into vpn zone. Configure forwarding from lan->vpn. Remove forwarding from lan->wan. This last step is the "kill" which prevents the lan from reaching the Internet directly without VPN when the VPN is down.
Infortunately i can't post more than one image on the same post
Tried to workaround but i can't get the result i'm looking for. With that (the thing i tough you said), port are unreachable.
Setup is : Lan>wan
Wan>reject with lan on source zones
vpn>reject with tun0 (my vpn tunnel) that is on covered network, can't find the thing you said "move vpn tunnel into vpn zone"
Edit wan and remove tun0 from wan. In other words tun0 used to be in wan, now you're moving it to be in vpn instead. A network can only be in one zone for the firewall to work properly, but I don't know how well LuCi enforces that.
It's a default firewall forward (forward everything that doesn't have a specific reject rule). This is configured at the bottom of the vpn zone settings page you posted. Add lan as a forward from source zone.
Actually i got a question. Everything work as intented, but : now when i do a curl ifconfig.co in vrbm0 (my connection without VPN at all, the basic one) it return me a MAC adress. Why ?
And i've seen that when i add LXC in proxmox, i don't have IP that goes into Openwrt (in the screen)
have i been clear and have you any idea?
Like i add a deluge LXC and a sonarr LXC and it's not showing up.
The general theory of a VPN is that everything outside the WAN port of the router is not to be trusted. So this means that by design the 192.168.1.0 network should not be reached.
You could of course make an exception if you wanted to. There is already a route 192.168.1.0/24 via wan, but since the general lan->wan forwarding has been removed, it needs to be replaced with a conditional firewall rule:
I try to do what u told me but i can't get it.
I've understand what u told me about the theory. And so i want to make an exception that if i'm using the vpn with kill switch, i still want to be able to access my local network. So i need to do a conditional firewall rule. BUT. What exactly is that ? Traffic rules ? NAT Rules ? So i've tried to do the logical thing (to me) but it doesn't work. what am i doing wrong here?
I'm posting all the config so you can see everthing.and hopefully guide me. I'm so sorry again i'm trying my best but network is my nemesis it seems so
That traffic rule should have worked. You could temporarily allow global default lan->wan forwarding again to confirm that the problem is the firewall and not something else. This should allow a lan device to connect to the 192.168.1.0 network.
