/etc/firewall.user and /etc/hotplug.d/iface/99-prevent-leak already was configured
/etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi
/etc/hotplug.d/iface/99-prevent-leak
#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j R
iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rul
iptables -I forwarding_rule -j REJECT
fi
How I really can prevent traffic leakage ?
my ISP supports only ivp4
The simplest way to prevent leakage is to just remove the forwarding from lan > wan. You'll see this in the main firewall file as a forward rule... delete it and no traffic will be allowed out of the wan from the lan.
Also @gien I use NordVPN myself. They are great, but you may well want to consider using WireGuard rather than OpenVPN. Check out this excellent guide here:
The reason for the above steps is that NordVPN don't release WireGuard credentials. They want everyone to use their own NordLynx built upon WireGuard, but it is easy to extract the relevant credentials as demonstrated above. I think NordVPN are fine with this, they just don't (yet?) officially support WireGuard.