Killswitch also working for applications running in router itself?

abeatenone · February 14, 2023, 3:50pm

Hello everybody,
I have configured the openvpn client on my router following this guide:
OpenVPN client using LuCI

I have also enabled the killswitch functionality, but I have noticed that when I close the vpn connection the router itself can still connect to Internet.
Is there a way to block also router connection to Internet when vpn is down, or is this a meaningless question (I am relatively new to networking with OpenWrt)?

psherman · February 14, 2023, 4:00pm

How exactly did you implement this? Normally it should only affect the lan.

Let's see your config files:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

mk24 · February 14, 2023, 4:04pm

OpenVPN being a process on the router has to use the wan interface (regular Internet) to send its encapsulated and encrypted packets to the VPN server. When OpenVPN closes down, it removes the default routes via the VPN tunnel and allows default routing from local processes by regular Internet.

If you want to prevent the router from ever using regular Internet for anything but encrypted packets to the VPN server, configure that in the firewall-- block all output on wan except for the one IP of the VPN server.

It will probably also be necessary to allow unencrypted NTP, as the clock must be set for SSL to work.

abeatenone · February 14, 2023, 5:11pm

I implemented the kill switch following what mentioned in the guide I mentioned above:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci#enable_network_killswitch_optional_recommended

Here it is my /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd43:fe47:3c26::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.200'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config device
	option name 'eth0.2'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option auto '0'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

And here it is my /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'OpenVPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun+'

config forwarding
	option src 'lan'
	option dest 'OpenVPN'

abeatenone · February 14, 2023, 5:17pm

Could you just give me an example on how to achieve this?

psherman · February 14, 2023, 5:23pm

abeatenone:

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.200'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

It appears that this is not the primary router... is this connected to an upstream router with a lan-lan connection?

When you bring down the OpenVPN tunnel, what exactly is the probelm that you see and how are you testing?

abeatenone · February 14, 2023, 5:39pm

Yes, my primary upstream router has address 192.168.1.1 and the router with OpenWrt I am using has address 192.168.1.200 and it it connected to the first one using one of its lan ports.
When I bring down the OpenVPN tunnel I was expecting that, because of the kill switch, the OpenWRT router could not connect anymore to Internet, instead I see that even if the OpenVPN tunnel is down I can ping external addresses from the OpenWrt router.

psherman · February 14, 2023, 5:42pm

this is expected behavior for 2 reasons:

The router always needs to be able to reach the upstream/internet if you want to be able to do things like connect to a VPN... otherwise, you have a chicken-or-egg situation.
The OpenWrt router is not the primary gateway... it has a gatway defined (192.168.1.1) so connections destined for any address other than 192.168.1.0/24 will go be sent there by default.

If you remove the gateway, you also remove the router's ability to connect to the internet in general, which means it cannot establish a VPN connection.

Does that make sense?

abeatenone · February 14, 2023, 9:27pm

Yes, it makes sense. Let then narrow the requirement: suppose I just want that an application (say irssi) which is running in the OpenWrt router loses its connectivity if the vpn is not working.
Is this feasible?

mk24 · February 14, 2023, 9:34pm

Connect your upstream to a separate wan network. In other words configure this as if it were a main router. Then you can put strict controls on what goes out of wan without breaking services on lan.