Why do my devices not lose internet access when I kill the OpenVPN connection?

98123 · April 17, 2023, 7:59pm

I have set up OpenVPN and PBR to route certain devices through my VPN provider (NordVPN) instead of just straight to the internet. I was expecting the device to lose all connectivity to the internet if I force-broke the VPN (by disabling it in the OpenVPN tab of LuCI) however it just reverts to a standard WAN connection and the appaent IP address becomes my real IP address instead. I wanted a killswitch.

Is there something here I may misconfigured? I thought that the "Strict enforcement" settings of PBR was the primary thing that was supposed to make a killswitch.

In the example above, I was expecting that if I disabled OpenVPN then the TV at 192.168.1.186 would lose connectivity to the internet, but it does not, it's apparent IP address simply reverts back to my real one (In reality I am testing this with my phone, not my TV, but the screenshot above was taken at a time where I had disabled that).

psherman · April 17, 2023, 8:10pm

I'm going to guess that your firewall is the culprit here...

Do you have OpenVPN setup with its own firewall zone, or is it part of the wan zone? If it is on the wan zone, split it out. Then, you can simply disallow forwarding from lan > wan, and only allow lan > vpn

98123 · April 17, 2023, 8:22pm

Silly me, I forgot to include that page.

Please see below.

psherman · April 17, 2023, 8:23pm

remove the lan > wan forwarding.

98123 · April 17, 2023, 8:24pm

Won't that cause all non-VPN devices to lose internet connectivity?

psherman · April 17, 2023, 8:32pm

Yes.

I'm not an expert on PBR, so there may be other things to do there, but you can also split the VPN devices into a separate network that is governed by PBR + no forwarding to wan.

pavelgl · April 18, 2023, 8:22am

Add the interface name to the list of supported interfaces.
It should work this way, but better change the name to lower case (in the network and pbr config).