We had the Force VPN option (firmware v2), replaced by Auto-Force in firmware v3. The latter has suffered many problems (ie. leaks), so I attempted to implement my own Internet Kill Switch (ie. force VPN).
When I ran DD-Wrt on my previous router, this little firewall trick did the job
iptables -I FORWARD ! -o tun+ -j DROP
However, this appears to block all traffic on OpenWRT (I added it in Luci > Network > Firewall > Custom Rules).
I tried to limit forwarding from the LAN > VPN interface only. I did this by deleting the forwarding rule (LAN > WAN) in LUCI (Network > Firewall) but it is reinstated after reboot. However, I did notice that it was disabled in my config files (/etc/config/firewall):
config forwarding
option src ‘lan’
option dest ‘wan’
option enabled ‘0’
So, it appears that the current auto-force simply checks to see if the VPN is enabled and then sets the above to “0” (disabled) if VPN Enabled = “1”
I also had a play with the firewall settings (Luci > Network > Firewall).
The first thing I noticed is that disabling Masquerading on the WAN interface (recommeneded by Air VPN) appears to fix the IP leaks on boot (ie. before the VPN connects).
Changing ACCEPT > REJECT under LAN > Forward and ovpn > Input (recommeneded by some VPN providers) did not interfere with the connection while obviously (presumably?) adding an extra layer of security.
These changes hold on reboot except the ovpn > Input > REJECT (which reverts to ACCEPT).
To fix this I EDITED /etc/init.d/startvpn and changed ACCEPT to REJECT under the relevant setting in set_ovpn_config
Hopefully the developers will implement these changes as defaults (unless I am missing some reason why not?)
So, I think I have plugged the final IP leak and also tightened up the Force VPN / leak protection - comments and suggestions welcome!
EDIT: attached pic. of my firewall settings.