How does the VPN Kill Switch really work? Leaks without it?

monologue9484 · August 26, 2025, 6:49pm

Hello!

Hardware: Flint 2
Firmware: 4.7.5-op24 (I guess I could upgrade to 4.8.0-op24)

Types of devices in my network:
A) Devices that run their own software VPN client
B) Devices without a software VPN client

I want to route only (B) through the Flint VPN, for latency & bandwidth reasons.

I've tried the below two policies so far (both work):

"VPN Policy Based on the Target Domain or IP" — I whitelisted all the VPN relay IPs, such that the (A) devices can connect directly to them

"Based on the Client Device" — I whitelisted all (A) devices (the ones with software VPN)

However, once I enable the kill switch ("Block Non-VPN Traffic"), the (A) devices will no longer be able connect to their VPN relays.

Thus, I have to keep the kill switch disabled, which makes me quite uncomfortable.

Can someone explain in which scenarios traffic could leak from the (B) devices without the kill switch enabled? E.g., what about the below scenarios?

Time window before the VPN connection is established (e.g., after a router reboot)
Temporary VPN connection losses
Firmware upgrades
Manually changing the Wireguard relay in the Flint settings (reconnect time window)
Etc.

Is there still a "kill switch" at least for the devices / destinations that are supposed to go through the Flint VPN, or is there no protection at all and traffic leaks wildly?

monologue9484 · August 27, 2025, 5:56am

I just noticed that the 4.8.0-op24 firmware looks very different.

Would be great if someone could explain how the scenarios I described above would have been handled in 4.7.5-op24 vs. how they are handled now. Thank you.

bruce · August 27, 2025, 6:15am

After upgrading the firmware to v4.8.0, can it achieve your needs?

monologue9484 · August 27, 2025, 6:25am

Hi Bruce, I just installed it and played around with it. Are these the right settings to achieve the behavior that I described in my OP?

Also, I'm still curious how it was handled pre-v4.8.0, i.e., in what situations leaks could occur. Thank you.

bruce · August 27, 2025, 6:56am

Hi,

According to your needs the Devices A (Software VPN to relays) do not go to VPN, and combined with the screenshots of Tunnel 1 & 2 above, why not set it like this:

Devices A will not go to VPN and go to WAN via All Other Traffic rule.
Other clients will go to VPN, and Kill Switch enabled.

I think you have mentioned the possible leak scenarios before

monologue9484 · August 27, 2025, 8:30am

I prefer my approach because it massively reduces the risk of Software VPN leaks ... because the clients can only reach the ~180 Wireguard relays directly, while all other traffic would go through the default VPN on the Flint.

I automatically update the input list of relays multiple times per day, so it should be pretty bullet proof.

Is there a way to have the Flint load the list of relays ("Input URL link") more than once daily, to catch any potential changes faster? E.g., to avoid scenarios where clients create their own Wireguard tunnel inside the Flint's VPN tunnel, because the Flint hasn't pulled my latest relay list, yet.

Or worse (but unlikely to become a real world issue), that the VPN provider turns off relays and returns the corresponding IPs, which would make them unsafe to connect to directly.

bruce · August 29, 2025, 10:25am

Sure, you know needs better than me, configure them according to your ideas.

Subscription links are updated once a day 3:00 by default.

You can find this script to change it according to the cycle you want:
/etc/gl_crontabs/crontabs.d/update_vpn_url

monologue9484 · August 29, 2025, 8:35pm

Hi Bruce, I found the script, but it doesn’t seem to execute on 4.8.0-op24 because vpnpolicy.route_policy.proxy_mode is empty? Or am I missing something?

root@GL-MT6000:~# [ "$(uci -q get vpnpolicy.route_policy.proxy_mode)" = 3 ] && echo foo
root@GL-MT6000:~#

No foo.

root@GL-MT6000:~# uci get vpnpolicy.route_policy.proxy_mode
uci: Entry not found
root@GL-MT6000:~# cat /etc/init.d/vpnpolicy-apply
cat: can't open '/etc/init.d/vpnpolicy-apply': No such file or directory

9b9e69c2-4b75-4420 · August 29, 2025, 11:12pm

If uci is reportting Entry not found that's typically because the underlying conf hasn't yet been set with a variable one way or the other. I'm guessing you've not yet plugged in a feed into the 'Input URL Link'.

monologue9484 · August 30, 2025, 1:30am

The feed is loaded and the rules are working. But I’m not sure if the feed refreshes itself.

9b9e69c2-4b75-4420 · August 30, 2025, 1:32am

If the feed is present then... humm... ~~what's the output of uci get vpnpolicy.route_policy.proxy_mode (note the lack of -q (error suppression))?~~ I'm not terribly familiar with all the custom scripts GL has in place.

monologue9484 · August 30, 2025, 1:33am

vpnpolicy is completely empty

root@GL-MT6000:~# uci show vpnpolicy
root@GL-MT6000:~#
root@GL-MT6000:~# uci show | grep vpnpolicy
root@GL-MT6000:~#

9b9e69c2-4b75-4420 · August 30, 2025, 1:37am

... & my Slate AX doesn't have that firmware version. The only other thing I can think of is checking ll /usr/bin/gl*. Other than that apologies for adding to the noise.

monologue9484 · August 30, 2025, 1:38am

No worries, I think we need to wait for @bruce

bruce · September 1, 2025, 4:03am

When you set the Subscription URL and apply in the GL GUI, this schedule script will add:

root@GL-MT6000:~# cat /etc/gl_crontabs/crontabs.d/update_vpn_url
cat: can't open '/etc/gl_crontabs/crontabs.d/update_vpn_url': No such file or directory
root@GL-MT6000:~# cat /etc/gl_crontabs/crontabs.d/update_vpn_url
0 3 * * * /usr/bin/update_vpn_domain.sh

monologue9484 · September 1, 2025, 5:10am

Hi @bruce, I’m using 4.8.0-OP24 and see the below instead:

root@GL-MT6000:~# cat /etc/gl_crontabs/crontabs.d/update_vpn_url
0 3 * * * [ "$(uci -q get vpnpolicy.route_policy.proxy_mode)" = 3 ] && /etc/init.d/vpnpolicy-apply restart >/dev/null 2>&1

root@GL-MT6000:~# cat /etc/init.d/vpnpolicy-apply
cat: can't open '/etc/init.d/vpnpolicy-apply': No such file or directory

root@GL-MT6000:~# uci get vpnpolicy.route_policy.proxy_mode
uci: Entry not found

The script /usr/bin/update_vpn_domain.sh does exist, but is not being called by this crontab.

monologue9484 · September 3, 2025, 7:38am

@bruce still the same issue after upgrading to 4.8.2-OP24.

Should I manually change the crontab to this?

0 3 * * * /usr/bin/update_vpn_domain.sh

bruce · September 3, 2025, 11:20am

Yes, modify the 0 3 * * * according to the update interval/cycle you need.

0   3    *   *     * 
min hour day month week
|   |    |   |     |
|   |    |   |     +--- which day of the week (0-6, 0=Sunday)
|   |    |   +--------- month (1-12)
|   |    +------------- day (1-31)
|   +------------------ hour  (0-23)
+---------------------- min  (0-59)

0 3 * * * means update at 3:00 every day.

monologue9484 · September 3, 2025, 8:02pm

My question was more, is it safe to replace [ "$(uci -q get vpnpolicy.route_policy.proxy_mode)" = 3 ] && /etc/init.d/vpnpolicy-apply restart >/dev/null 2>&1 with /usr/bin/update_vpn_domain.sh on 4.8.2-OP24?

bruce · September 5, 2025, 4:24am

I think it's safe. Before replacing you can make a backup

cp /etc/gl_crontabs/crontabs.d/update_vpn_url /etc/gl_crontabs/crontabs.d/update_vpn_url.bak