Hello all.

I am trying to setup a sort of kill switch for my OpenWRT router.
I have very little understanding of Linux and OpenWRT but I am learning.
I have setup my router pretty much like NordVPN tutorial told me.
My problem is the script that is provided for setting up iptable rules to reject all traffic when VPN goes down.

#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
        iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT
fi

The rule for blocking applies fine but it will never delete it once the VPN connection is restored. I have narrowed it down to the

(ip a s tun0 up)

If I remove this part of the script it restores forwarding rules fine.

Can anybody tell me what is going wrong with this script?

EDIT: I should have mentioned that this is a file called 99-prevent-leaks in etc/hotplug.d/iface

(Last edited by Waza on 16 Mar 2017, 17:32)

You'll need to test this, but I believe that '(ip a s tun0 up)' can be replaced with '[ "$INTERFACE" = "_name_of_your_VPN_iface_here_" ]'.

(Last edited by stangri on 16 Mar 2017, 18:35)

Waza, thank you kindly for using my script. As I've tested it, it is OK, because I remember, that /etc/firewall.user blocks forwarding initially, and after that tunnel works fine, i.e. unblocking rule is executed correctly. Have you edited /etc/firewall.user? How have you tested it, how have you simulated reconnect? In your configuration does tun0 exactly correspond to OpenVPN interface? Please, check variable values, insert lines:

echo A $ACTION D $DEVICE I $INTERFACE >> /tmp/out.txt
ip a s tun0 up
echo IP $? >> /tmp/out.txt
iptables -C forwarding_rule -j REJECT
echo F $? >> /tmp/out.txt

Bring contents of /tmp/out.txt after loosing and restoring connection. I can explain you the mechanism, it is trivial.

(ip a s tun0 up)

is valid when return code of command is zero, it just checks, whether tun0 device exists. It doesn't exist before establishing connection, but in case of loosing I am not sure. You can manually run two subsequent commands:

ip a s tun0 up
echo $?

stangri, I am afraid, no, because I've tested it, so it doesn't get parameter $INTERFACE in case of down (it is empty).

(Last edited by ulmwind on 16 Mar 2017, 23:22)

ulmwind, thank you for providing your work for us. As far as testing goes, I pretty much tested it by just using the connection until it drops. If I have to test something quickly I just kill the VPN connection using empty VPN profile, wait a minute or so and then manually re-enable VPN connection.

/tmp/out.txt first when conneciton goes down, then when it goes up.

A ifdown D I nordvpntun
IP 127
F 0

A ifup D tun0 I nordvpntun
IP 127
F 0

Running ip a s tun0 up in console

ip a s tun0 up
-ash: ip: not found

Once the connection goes down and the switch enables the iptable rule I have to manually run iptables -D forwarding_rule -j REJECT on console to return connectivity. This was a bitch to figure out xD

EDIT: firewall.user

if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT
fi

(Last edited by Waza on 17 Mar 2017, 18:26)

opkg update; opkg install ip-full

(Last edited by stangri on 17 Mar 2017, 08:24)

Waza, you can install ip-full as stangri wrote. I expected, default firmware config should contain it. You can also replace

ip a s tun0 up

by

ifconfig tun0

I think, to resume connection you run iptables -D forwarding_rule -j REJECT (DELETE), not -C (CHECK).
stangri, as you can see, parameter $DEVICE turns out to be empty in case of ifdown event. Furthermore initial blocking can't get such parameters, so, to my mind, my solution is optimal. Of course, it is possible to create specific file for reading and writing such parameters, but it is too complicated without significant improving of attained effect.

To block and restore connection one can also used scripts for up and down events in OpenVPN connection. But as for initial blocking, I can't suggest anything else.

In IPredator manual I've seen another option to prevent traffic leakage outside tunnel - to remove permanently masquerade from firewall config for WAN. It is too clumsy, to my mind, however it disables totally NAT LAN-WAN, only NAT LAN-VPN remains.

(Last edited by ulmwind on 17 Mar 2017, 17:56)

Yes off course. Just a copy paste error on my part I'll correct it in the post in case someone else ever stumbles upon this thread.
I will look into the ip-full package when I have some time.

Thank you all for your responses and help.

Waza, just replace all matches in two scripts /etc/firewall.user and 99-prevent-leak, as I've written above.