Luci-app-openvpn kill switch

nlx6 · March 29, 2020, 4:51pm

I prefer to use the luci-app-openvpn package to configure my router as a VPN client because it's simple. When I use this package, is there still a need for a kill-switch and do I still need to consider modifying my routers configuration to account for DNS leakage?

In the OpenWrt site's OpenVPN extras page, there is a section covering the implementation of a kill-switch. However, after using the luci-app-openvpn, I'm not quite sure how I would need to modify that page's uci commands to accommodate for the package's configuration. For example, I've added the tun0 device to the wan firewall zone's covered devices. Will I need to remove tun0 from the wan firewall zone and create a new vpn firewall zone?

My VPN provider is ProtonVPN.

psherman · March 29, 2020, 5:01pm

Are you looking to a way to start/stop the vpn service itself or a means of cutting off internet connectivity if the vpn connection goes down? If the latter, a simple firewall adjustment can achieve that.

nlx6 · March 29, 2020, 5:06pm

I'm looking to cut off internet connectivity if the VPN connection goes down.

Could you explain to me the firewall adjustment, please? Preferably from the point of view of a LuCI user.

psherman · March 29, 2020, 5:29pm

In the firewall general settings page, you will see the zone forwarding towards the bottom. You probably have one that is lan > wan and another that is lan > vpn. Removing the lan > wan forwarding rule will prevent all lan traffic from egress (Internet cutoff) when the vpn tunnel is down. When it is up, traffic will run through the vpn to get to the internet.

nlx6 · March 29, 2020, 5:43pm

There are 2 zones: lan > wan and wan > reject

tun0 is a covered device within wan > reject

Do your instructions still apply?

psherman · March 29, 2020, 6:22pm

if you've tied the VPN into the WAN zone, this will not work. You can create a new zone for the VPN interface, though, and then do what I described earlier.

nlx6 · March 29, 2020, 6:31pm

These are the instructions I've followed from the OpenWrt site: https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

The firewall settings are described in section 4.1-b.

Everything works as expected after following the instructions.

psherman · March 29, 2020, 6:57pm

If you go to the tun0 interface (under network > interfaces), click edit and then go to the firewall tab, you can create a new zone (vpn).

Then, return to the Network > Firewall configuration, and you'll see the new vpn zone listed with the lan and wan zones. Edit the vpn zone, and configure it the same as the wan (typically input=reject, output=accept, forward=reject, enable masquerading). Allow forward from the LAN zone (and nothing in the "allow forward to destination zones" field).

Now, you can remove the LAN > WAN forwarding, and as long as the tunnel is running, you'll have internet access (and when it is down, the internet is blocked).

nlx6 · March 29, 2020, 7:20pm

This is where I got confused... There is no tun0 interface displayed in the Network > Interfaces page. Yet somehow, it was available from within the wan firewall zone advanced settings page.

psherman · March 29, 2020, 7:23pm

Can you post your config details. Ideally the contents of the following files ina code block </>.

/etc/config/network
/etc/config/firewall

nlx6 · March 29, 2020, 7:33pm

/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7e:a3bf:c07d::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.6.1'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr 'b4:fb:e4:51:81:b0'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr 'b4:fb:e4:51:81:b1'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

- /etc/config/network 1/49 2%

/etc/config/firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 tun0'
        list device 'tun0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
- /etc/config/firewall 1/121 0%

psherman · March 29, 2020, 7:50pm

Can you try again those files are not complete. Use cat <file name> and then copy paste

nlx6 · March 29, 2020, 7:59pm

/etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7e:a3bf:c07d::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.6.1'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr 'b4:fb:e4:51:81:b0'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'b4:fb:e4:51:81:b1'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

/etc/config/firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 tun0'
	list device 'tun0'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

psherman · March 29, 2020, 8:35pm

Modify the wan zone as shown here:

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

Then add a vpn zone and forwarding like this:


config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'

config forwarding
	option src 'lan'
	option dest 'vpn'

And remove the lan>wan forwarding


config forwarding
	option src 'lan'
	option dest 'wan'

nlx6 · March 29, 2020, 8:59pm

Thank you.

Here is my new /etc/config/firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'

config forwarding
	option src 'lan'
	option dest 'vpn'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

psherman · March 29, 2020, 9:02pm

Looks right. Does it work? Test with the vpn running and then disable the vpn and see if internet stops. It should work.

nlx6 · March 29, 2020, 9:53pm

It doesn't work. Everything seems to be copied correctly.

trendy · March 29, 2020, 10:26pm

Did you restart after the copy-paste?
service firewall restart

nlx6 · March 29, 2020, 10:28pm

I didn't do that, but since the copy paste, I've rebooted the router.

psherman · March 29, 2020, 10:33pm

What isn't working -- are you not getting internet connectivity at all (i.e. when the VPN is active, still no internet), or is it not killing the connection when you stop the tunnel?