It's nice that there is a first-party VPN killswitch (Block non VPN Traffic) in the UI on my Beryl AX.
But too bad it doesn't differentiate LAN traffic from WAN/WWAN. It'd be great if I could make all the WAN/WWAN traffic go through VPN and be able to choose how to handle LAN traffic - either force it via VPN too or let it bypass VPN (kind of a split tunnel).
By doing so I could be sure that if my VPN goes down, my WAN/WWAN traffic doesn't leak while still be able to use resources on my LAN.
On top of that it would be great if there was an option to specify where traffic from the router itself should go - via VPN or directly out. Right now when the VPN is on, it'll always go via VPN, which is not very flexible.
Is there any chance the team would consider implementeing those options?
Thanks
P.S. The two features described above can be implemented relatively easily in openwrt firewall. Since (thankfully) wg's interface sits in a separate fw zone, I can simply disable all lan -> wan traffic allowing only wg -> wan traffic. And if I wanted to still have access to my upstream lan, I could enable traffic to 'local' destinations in the upstream (e.g. 192.168.0.0/16 and so on). But having a couple more buttons on the UI instead would be somewhat less of a hassle.
After the current VPN channel is opened with the killswitch, and the VPN is disconnected, then the equipment in the current tunnel can't access the network at all, and it is a global block, which does not distinguish between the external network and the internal network;
Your demand is that after the killswitch is turned on and the VPN is disconnected, the current tunnel device can't open the external Internet, but other devices in the current LAN can access it, for example, the home NAS device 192.168.8.2 can be accessed.
Please confirm whether it is correct:
The VPN Kill Switch is more intelligent: you can choose to intercept only the WAN/WWAN exit traffic without affecting the internal access of the LAN.
The router's own traffic is more controllable: it can choose whether to take VPN or not.
Thank you for your feedback. I have received and recorded your requirements.
ā
Reconstruction of VPN KillSwitch function: The function of the original VPN KillSwitch is to block WAN/WWAN network and LAN network when VPN connection fails. Your demand is to block WAN/WWAN network only, not block LAN network when VPN connection fails.
Scheme 1: Reconstruct the VPN KillSwitch function, and split the original function into two switches that control the WAN/WWAN network block and the LAN network blcok respectively, but the two switches increase the user's understanding difficulty.
Scheme 2: Reconstruct the VPN KillSwitch function to only block WAN/WWAN network. There is no need to switch the block LAN network, because there is no demand for the block LAN network after the VPN connection fails. You certainly hope that the LAN network will not be affected anyway, right?
Both schemes can be satisfied: you can access the LAN regardless of where the VPN tunnel is connected or not.
ā”
Add a switch whether the router uses VPN for its own traffic.
In most cases yes, but there are cases (rare, but they still exist) where I want to "disable" LAN traffic too (like a "full" killswitch). So having a separate switch would be very iseful.
Most users won't have to touch it if they don't understand it - it's juat a matter of picking a good default value
And thanks for the summary - you've captured the request very precisely. Thank you!
