How to set default gateway unchanged?

I am using vpn-policy-routing.

I have 2 default gateways: wan and tun. The tun here is openvpn client.
While the openvpn client is up and running the default gateway is set to tun.
When the client is down, the default gateway is automatically set to wan.

How do I configure it such that the default gateway is always fixed to tun, regardless of the openvpb client's state?

The vpn-policy-routing doc mentions that it does not support kill switch. Here is the quote:

The service does NOT support the "killswitch" router mode (where if you stop the VPN tunnel, you have no internet connection). For proper operation, leave all the default OpenWrt network and firewall settings for lan and wan intact.

Can someone confirm? Or maybe there is a workaround?


1 Like

If you only want to use the wan interface for vpn traffic then it makes sense to block other traffic in the firewall.

It might be easiest to create a new (killswitch?) zone for the wan interface and add no forwarding configs and instead set up a firewall rule which allows the vpn protocol. (The tun interface would stay in the wan zone.)

1 Like

I still need the wan interface because some domains need to be excluded from vpn like streaming services.

  • Disable the LAN to WAN forwarding by default.
  • Allow forward only to IPs matching the IP sets.

It should be like this, just change REJECT to ACCEPT and block to allow:

1 Like

That sounds like a good idea! Will try it. I think it should work. Thanks much!

1 Like

@vgaetera Ok, I got it working but there is a little problem. For dnsnames that I route to wan, this works only when the dnsname is mapped to exactly 1 ip address. For dnsname which is round robin to several addresses, this does not work consistently.

Does ipset work only for single address dnsname?

1 Like

It works for me as intended, however some conditions are required to work properly:

  • Restarting the firewall service on OpenWrt leads flushing of IP sets, so you need to manually flush DNS cache on the client and restart the client browser if you restart the router.

  • Set up DNS hijacking to intercept plain DNS queries on OpenWrt and make sure the client browser and OS do not use DNS encryption, i.e. DoH/DoT/DNSCrypt, otherwise you need disable it or block all the major encrypted DNS providers, so the client rolls back to plain DNS.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.