Block traffic when the OpenVpn client is disconnected

Hi, I configured my OpenVPN client with this guide
, now I want to block all the outgoing traffic if the client is disconnected or it loses/drops the connection, is it possible?
I'm quite new in this world so I don't know if it's possible.

I don't know if it's relevant but I'have a strange network configuration:

The router is connected to a 4g Modem, on the modem I setted the router's WAN IP in the DMZ, and the LAN of the router is on another ip range.

You should be able to do this by removing the forwarding rule that allows LAN > WAN. As long as you have a forwarding rule from LAN > VPN, you're good to go.

Thank you, it works.

Do you know if it's possible to make any custom commands that enable and disable that forwarding rule?

If you have a hardware button on your router (a WPS connection button, for example), you could potentially create an action that calls a script to add/remove that rule and restart the firewall. You can brute-force it by having two copies of the firewall file that get toggled, or use UCI commands to alter a single file.

I have a TP-Link travel router (2 types, actually - the MR3020 and the WR902AC) which I use as a portable VPN for travel. I have a script associated with the slide-switch that is read at boot time and configures the router with or without that forwarding enabled.

Wow, that's awesome, I have the netgear r7800 which has the wps button, but I think that I need some help, I don't know how to manage this things.

I think that I need to combine 2 things, ON: It starts the vpn connection and removes the forwarding rules, OFF: it stops the vpn and adds the forwarding rules. Do you know how to do this?

If the power goes off while the button is ON when the router restarts the script will run again?

Thank you a lot for all the help

So there are a few ways to approach this...

You could use the OpenVPN up/down scripts to change the forwarding rules -- this would be good when you intentionally start/stop the tunnel, but could potentially cause packets to leak if the tunnel goes down unexpectedly.

Alternatively, you could create a script to enable/disable the LAN > WAN forwarding rule and initiate that via an ssh session, with Luci-app-commands (a LuCI interface that allows you to do command line stuff), or connect it with a hardware button or two. I could also see other ways to do it including just using the LuCI interface to add/remove the forwarding rule in the Firewall config page, or even a new LuCI app for toggling things like this. And there may be some apps that people have written that do this, too -- there are policy based routing and other apps/packages that could possibly perform the task -- search through the forums and/or the opkg lists for ideas there.

I realize that when I disable the forwarding rule I can't access to the modem interface, quite obvious but I haven't tought about it, so I think that the best and simple way is to use the luci-app-commands for a quick switch when I need to access to the modem. Now I only have to find the ssh command (any idea?).

Thanks for your help

Probably the easiest method is a brute force one... not at all elegant, but it will work:

make two copies of the /etc/config/firewall fie. Maybe one will be called /etc/config/firewall_normal and the other /etc/config/firewall_vpn_only.

Then make two scripts. Starting it the 'normal' script (/usr/bin/ that has the following commands:

cp /etc/config/firewall_normal /etc/config/firewall
/etc/init.d/firewall restart

The second script (/usr/bin/ looks the same but copies firewall_vpn_only. Add execute permissions to the scripts (chmod +x ) and try it out. If it works, you can use those in the luci-app-commands page.

See my instructions in NordVPN manual:

The appended strings should be similar to previous one. To prevent traffic leakage in case VPN-tunnel drops you can edit the file /etc/firewall.user with following content:
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT

You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:

if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
iptables -D forwarding_rule -j REJECT
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT

(newbie alert!)

What's wrong with simply deleting forwarding from Lan > Wan? That seems to work for me (except I haven't worked out how to disable/enable the forwarding automatically on VPN start/stop.
Anyway, wouldn't this simply do it:
if (! ip a s tun0 up); then
iptables -I forwarding_rule -j REJECT

Regarding the 99-prevent-leak file

  1. what's the significance of the "99" part of the filename, if any?
  2. can you explain why we need this, as it seems to do exactly the same as the firewall.user code.

Everything is OK with it. Your question is how to trigger it by VPN start/stop. This could be achieved by three ways:

  1. Scripts up, down in OpenVPN-configuration file;
  2. firewall.user code, which is executed, when firewall is restarted (it is restarted automatically when OpenVPN connection is established or dropped).
  3. Hotplug script. It is called when specific interface is up/down. 99 means order when it is called (e.g. number 20 is called before it).

Yes, it is enough, but I like independent lines of defense, so in my updated manual on AirVPN you can find two extra barriers, which are established not depending on OpenVPN-connection, so in this case the leakage due to lacks of scripts execution is prevented: