Alternative to the function Force VPN (No Internet if VPN is not connected) on AR750S


#21

I am reading this thread and can confirm this feature is exactly what I need as well. Do not allow any internet connection in case VPN is down/fails … where we are here? Using OpenVPN on 3.012 and cannot see the option. Thanks in advance!


#22

Hi glitch - is that confirmed? As I can’t see the way to do it even after connecting. thx!


#23

You can check out this post.


#24

Thanks for your reply Kyson-lok. I checked the suggested thread however I am not sure this resolves my point totally. fine to stop leakes once VPN is started, but what if VPN drops? packets will go to WAN with no encryption? How can avoid no internet if no VPN is connected?


#25

It is the same, if you edit those files, it will enable data traffic forward to WAN interface from LAN, so if VPN connection was lost, the router still be able to access the Internet.


#26

what I am trying to achieve is: if VPN connection was lost, the router DOES NOT allow ANY access the Internet to ANY client on the LAN.
No VPN means no access to internet, all traffic from LAN is blocked


#27

It is the default case.

If VPN was lost, all LAN devices cannot access the Internet.


#28

Thanks for the clarifications.
Let me comment the two lines from the first screenshot and also all the ones in the “load default rules” if routine and confirm.


#29

Unfortunately, it is still not working, access is given when VPN is disconnected:
to double check I did things properly,

1st file - edited as per directions in picture above.

2nd file, I did comment what suggested, I am only missing last line in the second picture, where I have the following:

ovpn_main() {
local ip
local host
local enable
eanble=$(uci get glconfig.openvpn.enable 2>/dev/null)
[ “$eanble” = “1” ] || return

       # Load default rules
       #if [ "$INTERFACE" = "ovpn" ]; then
       #             # add default rules and force to main table
       #             [ -z "$(ip route list | grep -E "0.0.0.0/1 (.*) $DEVICE" 2>/dev/null)" ] && {
       #                           ip route add 0.0.0.0/1 dev $DEVICE 2>/dev/null
       #                           ipset add mwan3_connected_v4 0.0.0.0/1 2>/dev/null
       #             }
       #             [ -z "$(ip route list | grep -E "128.0.0.0/1 (.*) $DEVICE" 2>/dev/null)" ] && {
       #                           ip route add 128.0.0.0/1 dev $DEVICE 2>/dev/null
       #                           ipset add mwan3_connected_v4 128.0.0.0/1 2>/dev/null
       #             }
       #fi

       host=$(uci get glconfig.openvpn.host 2>/dev/null)
       [ -n "$host" ] || return

       ip=$(echo $host | egrep '[0-9]{1,3}(\.[0-9]{1,3}){3}')

       [ -n "$ip" ] && {
                      refresh_route $ip
       }

}


#31

yes, and I see so many of us asking to re-introduce this capability since long time, any plan to do it? as it is unfortunately is useless as I need to be 100% sure all data are sent via VPN or blocked if VPN is not available, whatever the cause is. Any plan to do it? shall I revert to an older firmware supporting this? what is your advice?


#32

In the old firmware, you also need to have a vpn profile first in order to “force vpn”. This is the same as new firmware, which you need to have one vpn profile and click “connect”.

I assume you want to have this feature even when there is no vpn profile upload to the router, right? This seems interesting and maybe we can add.


#33

Actually for my case it would be enough to have it when an existing VPN profile is available, as I have one. I click on connect and I “assume” VPN is always up. But we know how things work and that VPN can be disconnected at anytime; when this happens, I do not want to have any traffic by anybody from the LAN to internet. This is my use case.


#34

This is what the current firmware doing by default, isn’t it?


#35

No. The behaviour I am experiencing is that even when VPN is down connection to internet to LAN devices is allowed


#36

Can you restate which model you are using? In firmware 3.012 it should not happen.

Did you try to reset the firmware and try again? Don’t modify the script as this is the default behavior.


#37

GL-MT300N-V2-2b8
V 3.012

So shall I revert the modifications (the commented lines) back? I did them because connection to internet was allowed also when VPN is down, but I can check again if needed. Pls advice.

so do you want me to:

  1. Revert config files as original
  2. Reset
  3. Retry:
  • try to access any website before clicking on connect VPN. You expect NOT to surf internet?
  • connect VPN
  • try to access any website -> You expect to surf internet now?
  • disconnect VPN
  • try to access any website -> You expect NOT to surf internet now

Am I right?


#38

No. That is not what I mean.

If you disconnect vpn, of course you will have normal internet.

You should click to connect vpn and that is all.

When vpn can be connected successfully you will have Internet via vpn. When vpn cannot be connected successfully to its server you will not have Internet.

You should not click to disconnect vpn. You can change vpn profile without data leak.


#39

And what if VPN gets disconnected by the server (or for a temp connectivity issue) and I do not realise it? VPN will stay disconnected and LAN users will be allowed to reach internet without VPN?


#40

Only if you disconnect vpn lan users will go to Internet without vpn.
If VPN is disconnected by server lan users will not go to Internet.
If you change vpn server to another lan users will go to Internet only when vpn connection will be established with new server.


#41

thanks All for sheding some light here. My last clarification is: now that my scenario is clearer, shall I leave the modifications suggested in this thread or shall I revert back to default? Thanks again!