You should be able to do this by removing the forwarding rule that allows LAN > WAN. As long as you have a forwarding rule from LAN > VPN, you're good to go.
If you have a hardware button on your router (a WPS connection button, for example), you could potentially create an action that calls a script to add/remove that rule and restart the firewall. You can brute-force it by having two copies of the firewall file that get toggled, or use UCI commands to alter a single file.
I have a TP-Link travel router (2 types, actually - the MR3020 and the WR902AC) which I use as a portable VPN for travel. I have a script associated with the slide-switch that is read at boot time and configures the router with or without that forwarding enabled.
Wow, that's awesome, I have the netgear r7800 which has the wps button, but I think that I need some help, I don't know how to manage this things.
I think that I need to combine 2 things, ON: It starts the vpn connection and removes the forwarding rules, OFF: it stops the vpn and adds the forwarding rules. Do you know how to do this?
If the power goes off while the button is ON when the router restarts the script will run again?
You could use the OpenVPN up/down scripts to change the forwarding rules -- this would be good when you intentionally start/stop the tunnel, but could potentially cause packets to leak if the tunnel goes down unexpectedly.
Alternatively, you could create a script to enable/disable the LAN > WAN forwarding rule and initiate that via an ssh session, with Luci-app-commands (a LuCI interface that allows you to do command line stuff), or connect it with a hardware button or two. I could also see other ways to do it including just using the LuCI interface to add/remove the forwarding rule in the Firewall config page, or even a new LuCI app for toggling things like this. And there may be some apps that people have written that do this, too -- there are policy based routing and other apps/packages that could possibly perform the task -- search through the forums and/or the opkg lists for ideas there.
I realize that when I disable the forwarding rule I can't access to the modem interface, quite obvious but I haven't tought about it, so I think that the best and simple way is to use the luci-app-commands for a quick switch when I need to access to the modem. Now I only have to find the ssh command (any idea?).
The second script (/usr/bin/vpn_only.sh) looks the same but copies firewall_vpn_only. Add execute permissions to the scripts (chmod +x ) and try it out. If it works, you can use those in the luci-app-commands page.
The appended strings should be similar to previous one. To prevent traffic leakage in case VPN-tunnel drops you can edit the file /etc/firewall.user with following content:
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi
You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:
#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi
What's wrong with simply deleting forwarding from Lan > Wan? That seems to work for me (except I haven't worked out how to disable/enable the forwarding automatically on VPN start/stop.
Anyway, wouldn't this simply do it:
if (! ip a s tun0 up); then
iptables -I forwarding_rule -j REJECT
fi
Regarding the 99-prevent-leak file
what's the significance of the "99" part of the filename, if any?
can you explain why we need this, as it seems to do exactly the same as the firewall.user code.