I have 2 default gateways: wan and tun. The tun here is openvpn client.
While the openvpn client is up and running the default gateway is set to tun.
When the client is down, the default gateway is automatically set to wan.
How do I configure it such that the default gateway is always fixed to tun, regardless of the openvpb client's state?
The vpn-policy-routing doc mentions that it does not support kill switch. Here is the quote:
The service does NOT support the "killswitch" router mode (where if you stop the VPN tunnel, you have no internet connection). For proper operation, leave all the default OpenWrt network and firewall settings for lan and wan intact.
Can someone confirm? Or maybe there is a workaround?
If you only want to use the wan interface for vpn traffic then it makes sense to block other traffic in the firewall.
It might be easiest to create a new (killswitch?) zone for the wan interface and add no forwarding configs and instead set up a firewall rule which allows the vpn protocol. (The tun interface would stay in the wan zone.)
@vgaetera Ok, I got it working but there is a little problem. For dnsnames that I route to wan, this works only when the dnsname is mapped to exactly 1 ip address. For dnsname which is round robin to several addresses, this does not work consistently.
It works for me as intended, however some conditions are required to work properly:
Restarting the firewall service on OpenWrt leads flushing of IP sets, so you need to manually flush DNS cache on the client and restart the client browser if you restart the router.
Set up DNS hijacking to intercept plain DNS queries on OpenWrt and make sure the client browser and OS do not use DNS encryption, i.e. DoH/DoT/DNSCrypt, otherwise you need disable it or block all the major encrypted DNS providers, so the client rolls back to plain DNS.