What do i need to do in order to make wifi kill switch(when vpn connection becomes inactive, internet over wifi stops working) and is it possible to separate lan from vpn all together or at least make it so it does't shut off when vpn loses connection?
this is my current /etc/config/firewall that blocks internet when vpn loses connection
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config zone 'vpn'
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
config forwarding
option src 'lan'
option dest 'vpn'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
From what I can tell, the firewall looks okay in that you only allow forwarding from LAN > VPN. If the VPN goes down, there is no internet connection available on the LAN.
Assuming that is working properly, it should not have a direct impact on the local operation of the LAN or Wifi. If you are seeing devices drop offline, it is because they are trying to be 'smart' with internet connectivity tests (usually a ping test to a given domain or IP). Here's an example. These client devices drop the wifi connection if they detect that there is no route to the internet -- this means that you will need to change the settings on the devices themselves, not your OpenWrt system.
The alternative would be to figure out what domains/IPs are used for the various connectivity tests. You could intercept those tests using DNS entries or firewall rules that direct them to the OpenWrt system which would then be able to reply, thus 'tricking' the systems into believing they have connectivity.
Yeah it all works fine, if VPN server becomes inactive it prevents traffic on LAN/Wifi, but i'm wondering if it's possible to only prevent traffic on Wifi and leave LAN working even if VPN server goes down.
Yes a separate network and zone, then two forwards:
lan->wan
guest->vpn
Basically keep the default lan->wan setup, which is always going to be a standard connection outside the VPN, then add the vpn and guest on top of that. Users of the guest network always go by VPN unless the VPN is down, then they have no Internet.
In default configuration, when lan and wlan are combined in bridge interface, it is impossible. As it is described above, you should create additional zone, and subnetwork for wireless interface, and create forwarding rule only to vpn zone, not to wan zone.
I followed the tutorial, created guest wlan and configured firewall, it now works like this: openvpn goes up, lan internet goes down, guest wlan internet goes up; openvpn goes down, lan inernet goes up, guest wlan internet goes down, what should i tweak in order to make lan internet always up(w/o vpn) and guest wlan only up when openvpn is up?
Network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7d:750a:7f2b::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '1.1.1.1'
list dns '8.8.8.8'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr 'd8:0d:17:a7:ed:33'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'd8:0d:17:a7:ed:34'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch1'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch1'
option vlan '1'
option ports '5t 3 2 1 0'
config switch_vlan
option device 'switch1'
option vlan '2'
option ports '5t 4'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
list dns '1.1.1.1'
list dns '8.8.8.8'
list dns '8.8.4.4'
Firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'eth0.1'
list device 'eth0.2'
config zone 'vpn'
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone 'guest'
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcpudp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option family 'ipv4'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option dest 'vpn'
option src 'guest'
config forwarding
option dest 'wan'
option src 'lan'
I added it, it works, but now when openvpn is up both lan and guest wlan use vpn to access internet, but i want vpn only for guest wlan, how can i do that?
Yes, there's no point configuring DNS on any other interface than the upstream.
If you want to utilize split DNS, the easiest way is to provide custom DNS with DHCP.
i followed this guide instead and was able to configure openvpn the way i need, but now it uses DNS specified in the settings of DHCP instead of using DNS provided by my vpn, what can i do to fix this? Does it even matter what DNS server i use, shouldn't it be fine if it uses custom DNS instead of the ones provided by my internet provider?
It depends on your default route. DNS request can still be seen unless you are using Stubby or dns over TLS. I do similar using PBR, but I use 2 dnsmasq. Look up kidsafe configuration but DNS request goes through the tunnel interface