Openvpn + wifi kill switch

What do i need to do in order to make wifi kill switch(when vpn connection becomes inactive, internet over wifi stops working) and is it possible to separate lan from vpn all together or at least make it so it does't shut off when vpn loses connection?

this is my current /etc/config/firewall that blocks internet when vpn loses connection

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config zone 'vpn'
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'

config forwarding
        option src 'lan'
        option dest 'vpn'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

From what I can tell, the firewall looks okay in that you only allow forwarding from LAN > VPN. If the VPN goes down, there is no internet connection available on the LAN.

Assuming that is working properly, it should not have a direct impact on the local operation of the LAN or Wifi. If you are seeing devices drop offline, it is because they are trying to be 'smart' with internet connectivity tests (usually a ping test to a given domain or IP). Here's an example. These client devices drop the wifi connection if they detect that there is no route to the internet -- this means that you will need to change the settings on the devices themselves, not your OpenWrt system.

The alternative would be to figure out what domains/IPs are used for the various connectivity tests. You could intercept those tests using DNS entries or firewall rules that direct them to the OpenWrt system which would then be able to reply, thus 'tricking' the systems into believing they have connectivity.

1 Like

Yeah it all works fine, if VPN server becomes inactive it prevents traffic on LAN/Wifi, but i'm wondering if it's possible to only prevent traffic on Wifi and leave LAN working even if VPN server goes down.

That requires to split WLAN from LAN and create a separate firewall zone and forwardings for WLAN.

It should be similar to creating a guest WLAN, but less restricted in your case:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan#instructions

3 Likes

Yes a separate network and zone, then two forwards:

lan->wan
guest->vpn

Basically keep the default lan->wan setup, which is always going to be a standard connection outside the VPN, then add the vpn and guest on top of that. Users of the guest network always go by VPN unless the VPN is down, then they have no Internet.

2 Likes

In default configuration, when lan and wlan are combined in bridge interface, it is impossible. As it is described above, you should create additional zone, and subnetwork for wireless interface, and create forwarding rule only to vpn zone, not to wan zone.

I followed the tutorial, created guest wlan and configured firewall, it now works like this: openvpn goes up, lan internet goes down, guest wlan internet goes up; openvpn goes down, lan inernet goes up, guest wlan internet goes down, what should i tweak in order to make lan internet always up(w/o vpn) and guest wlan only up when openvpn is up?

Network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7d:750a:7f2b::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'd8:0d:17:a7:ed:33'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'd8:0d:17:a7:ed:34'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch1'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch1'
        option vlan '1'
        option ports '5t 3 2 1 0'

config switch_vlan
        option device 'switch1'
        option vlan '2'
        option ports '5t 4'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

Firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'eth0.1'
        list device 'eth0.2'

config zone 'vpn'
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcpudp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option family 'ipv4'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option dest 'vpn'
        option src 'guest'

config forwarding
        option dest 'wan'
        option src 'lan'
1 Like

It looks like you have already configured most of it.
Just add the LAN to VPN forwarding.

Also, if you want to specify custom DNS, better use the upstream interface:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider

I added it, it works, but now when openvpn is up both lan and guest wlan use vpn to access internet, but i want vpn only for guest wlan, how can i do that?

Also, if you want to specify custom DNS, better use the upstream interface:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider

So i have to remove dns from all the interfaces and only leave it on the wan?

Yes, there's no point configuring DNS on any other interface than the upstream.
If you want to utilize split DNS, the easiest way is to provide custom DNS with DHCP.

i tried using VPN policy-based routing and failed, i found this posthttps://forum.openwrt.org/t/sharing-openvpn-to-only-1-interface/15040/6?u=kiros, but i have no idea what he did when he said

then routed all traffic from that subnet through the VPN using the VPN policy based routing package

any help?

i followed this guide instead and was able to configure openvpn the way i need, but now it uses DNS specified in the settings of DHCP instead of using DNS provided by my vpn, what can i do to fix this? Does it even matter what DNS server i use, shouldn't it be fine if it uses custom DNS instead of the ones provided by my internet provider?

It depends on your default route. DNS request can still be seen unless you are using Stubby or dns over TLS. I do similar using PBR, but I use 2 dnsmasq. Look up kidsafe configuration but DNS request goes through the tunnel interface