Could you please help me to set up a kill switch for a policy based routing?
Let's assume I have two output interfaces: wan and wg_out. The lan network is allowed to use both of them. I.e. firewall zones forwarding are set as follows:
/etc/config/firewall (Forwardings)
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wg_out'
Also I have a rule and a routing table to reroute traffic marked with 0x2 mark to the wg_out interface:
config rule
option name 'Mark 0x2 (VPN reroute) for lan'
option family 'ipv4'
option src 'lan'
option ipset 'vpn_reroute_test'
option dest '*'
option target 'MARK'
option set_mark '0x2'
list proto 'all'
The vpn_reroute_test nft set is filled with myip.com IP address.
If the wg_out interface is up and running I get its IP from visiting myip.com
If the wg_out interface is down (disabled) then I get the wan interface IP.
I want receive a connection error, i.e. stop marked 0x2 traffic from overflowing to wan when the wg_out is down.
I thought that the blackhole route will do this, but got no luck.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Unfortunately it is relevant.
I reroute only traffic which has been marked 0x2 to wg_out, i.e. only traffic going to myip.com. All other traffic flows through wan interface. If I delete lan -> wan forwarding I will loose access to any other host except myip.com.
Regarding your first question about configuration. I have posted relevant settings in the first post. What other configuraion should I mention? There are quite a lot lines with sensitive information which will be hard to clean.
The important thing to remember is that there are two separate systems in play here. The routing table(s) determine where the kernel will attempt to forward a packet. The firewall rules determine if that forward will be allowed or blocked.
Make the firewall conditional so that only what you want non-VPN is forwarded lan->wan, the IP destinations that you want to only ever go via VPN are rejected or dropped if they try to go to WAN.