Alternative to the function Force VPN (No Internet if VPN is not connected) on AR750S

NeoxHC · 2019-04-17T09:54:26.543Z

Thanks for your reply Kyson-lok. I checked the suggested thread however I am not sure this resolves my point totally. fine to stop leakes once VPN is started, but what if VPN drops? packets will go to WAN with no encryption? How can avoid no internet if no VPN is connected?

kyson-lok · 2019-04-17T09:56:24.274Z

It is the same, if you edit those files, it will enable data traffic forward to WAN interface from LAN, so if VPN connection was lost, the router still be able to access the Internet.

NeoxHC · 2019-04-17T10:03:22.171Z

what I am trying to achieve is: if VPN connection was lost, the router DOES NOT allow ANY access the Internet to ANY client on the LAN.
No VPN means no access to internet, all traffic from LAN is blocked

kyson-lok · 2019-04-18T01:48:19.159Z

It is the default case.

If VPN was lost, all LAN devices cannot access the Internet.

NeoxHC · 2019-04-18T06:30:26.335Z

Thanks for the clarifications.
Let me comment the two lines from the first screenshot and also all the ones in the “load default rules” if routine and confirm.

NeoxHC · 2019-04-18T07:34:16.699Z

Unfortunately, it is still not working, access is given when VPN is disconnected:
to double check I did things properly,

1st file - edited as per directions in picture above.

2nd file, I did comment what suggested, I am only missing last line in the second picture, where I have the following:

ovpn_main() {
local ip
local host
local enable
eanble=$(uci get glconfig.openvpn.enable 2>/dev/null)
[ “$eanble” = “1” ] || return

       # Load default rules
       #if [ "$INTERFACE" = "ovpn" ]; then
       #             # add default rules and force to main table
       #             [ -z "$(ip route list | grep -E "0.0.0.0/1 (.*) $DEVICE" 2&gt;/dev/null)" ] &amp;&amp; {
       #                           ip route add 0.0.0.0/1 dev $DEVICE 2&gt;/dev/null
       #                           ipset add mwan3_connected_v4 0.0.0.0/1 2&gt;/dev/null
       #             }
       #             [ -z "$(ip route list | grep -E "128.0.0.0/1 (.*) $DEVICE" 2&gt;/dev/null)" ] &amp;&amp; {
       #                           ip route add 128.0.0.0/1 dev $DEVICE 2&gt;/dev/null
       #                           ipset add mwan3_connected_v4 128.0.0.0/1 2&gt;/dev/null
       #             }
       #fi

       host=$(uci get glconfig.openvpn.host 2&gt;/dev/null)
       [ -n "$host" ] || return

       ip=$(echo $host | egrep '[0-9]{1,3}(\.[0-9]{1,3}){3}')

       [ -n "$ip" ] &amp;&amp; {
                      refresh_route $ip
       }

}

NeoxHC · 2019-04-18T08:29:16.847Z

yes, and I see so many of us asking to re-introduce this capability since long time, any plan to do it? as it is unfortunately is useless as I need to be 100% sure all data are sent via VPN or blocked if VPN is not available, whatever the cause is. Any plan to do it? shall I revert to an older firmware supporting this? what is your advice?

alzhao · 2019-04-18T10:15:03.275Z

In the old firmware, you also need to have a vpn profile first in order to “force vpn”. This is the same as new firmware, which you need to have one vpn profile and click “connect”.

I assume you want to have this feature even when there is no vpn profile upload to the router, right? This seems interesting and maybe we can add.

NeoxHC · 2019-04-18T10:42:39.050Z

Actually for my case it would be enough to have it when an existing VPN profile is available, as I have one. I click on connect and I “assume” VPN is always up. But we know how things work and that VPN can be disconnected at anytime; when this happens, I do not want to have any traffic by anybody from the LAN to internet. This is my use case.

alzhao · 2019-04-18T13:31:35.918Z

This is what the current firmware doing by default, isn’t it?

NeoxHC · 2019-04-18T14:03:12.244Z

No. The behaviour I am experiencing is that even when VPN is down connection to internet to LAN devices is allowed

alzhao · 2019-04-18T14:13:52.693Z

Can you restate which model you are using? In firmware 3.012 it should not happen.

Did you try to reset the firmware and try again? Don’t modify the script as this is the default behavior.

NeoxHC · 2019-04-18T14:19:59.912Z

GL-MT300N-V2-2b8
V 3.012

So shall I revert the modifications (the commented lines) back? I did them because connection to internet was allowed also when VPN is down, but I can check again if needed. Pls advice.

so do you want me to:

Revert config files as original
Reset
Retry:

try to access any website before clicking on connect VPN. You expect NOT to surf internet?
connect VPN
try to access any website → You expect to surf internet now?
disconnect VPN
try to access any website → You expect NOT to surf internet now

Am I right?

alzhao · 2019-04-18T16:29:33.167Z

No. That is not what I mean.

If you disconnect vpn, of course you will have normal internet.

You should click to connect vpn and that is all.

When vpn can be connected successfully you will have Internet via vpn. When vpn cannot be connected successfully to its server you will not have Internet.

You should not click to disconnect vpn. You can change vpn profile without data leak.

NeoxHC · 2019-04-18T16:43:42.621Z

And what if VPN gets disconnected by the server (or for a temp connectivity issue) and I do not realise it? VPN will stay disconnected and LAN users will be allowed to reach internet without VPN?

antifascista · 2019-04-18T21:20:39.886Z

Only if you disconnect vpn lan users will go to Internet without vpn.
If VPN is disconnected by server lan users will not go to Internet.
If you change vpn server to another lan users will go to Internet only when vpn connection will be established with new server.

NeoxHC · 2019-04-19T06:32:48.182Z

thanks All for sheding some light here. My last clarification is: now that my scenario is clearer, shall I leave the modifications suggested in this thread or shall I revert back to default? Thanks again!

Gimmy · 2024-09-17T10:21:07.167Z

Hi everyone,
considering i would like to buy a GL.iNet GL-MT3000 (Beryl AX)

i would like to know if with the current firmware is possible to block all the internet trafic in case the VPN will go down for any reason or i will manually disconnect it or i will manually change the server.

Thanks

admon · 2024-09-17T10:23:44.248Z

Gimmy:

i would like to know if with the current firmware is possible to block all the internet trafic in case the VPN will go down for any reason

This is enabled by default - there is no option to configure it.

Gimmy:

i will manually disconnect

This isn't possible. If you disconnect by yourself, it won't work unless you activate Block Non-VPN: Block No-VPN Traffic - GL.iNet Router Docs 4

kabut · 2024-09-26T00:51:07.088Z

I suspect I recently experience the same issue on GL.iNet GL-MT3000 router. My VPN was connected throughout but a window of a few minutes my data was leaked. Am not sure how to debug this further.