Kill Switch, Data Leak, VPN Policy - issue in 4.3.6

Russell · August 6, 2023, 8:02am

Hi,
I have installed 4.3.6 from snapshot for 3 different gl.inet routers and found same behavior of VPN leaks. I hope this post will attract the attention of developers:

#1 Leak
Judging by the posts on this forum, it seems that “Kill Switch” in 4.x is now integrated into the VPN on/off button and should not allow traffic to flow past the vpn, no matter what happens to vpn, when it is on. However, when “Block Non-VPN Traffic” is off and at the moment the router booting or at the moment of changing the vpn connection to another, the router send traffic from vpn users without vpn. It causes a leak of real IP.

I would to highlight, that function “Block Non-VPN Traffic” is useless, because it kills work with the local network.

#2 Leak
in “Modify Proxy Mode”, when you choose “Customize Routing Rules” and put the rule “0.0.0.0/1 link” traffic starts to behave inappropriately: ip addresses go through vpn, but domains go as lucky, some domains go through vpn, some without vpn.

My first idea was that it is a bug in ipset, however, after checking on a fresh install, and on different routers, I did not find that the router enters these addresses into ipset. “ipset flush” also makes no changes.

I also tried to change dns to custom ones, enabled/disabled AdGuardHome with different settings, but the router keeps sending some domains without vpn.

This bug also leads to unpredictable traffic leaks past the VPN.

#3 Lack
After several days of testing, I still could not implement the following architecture, which was implemented in one click on version 3.x: I wish the traffic from router to go without vpn and with dns 1.1.1.1, when clients go via vpn and with dns inside vpn.

In version 3.x, there was a switch “Don’t use vpn for router processes”, witch did the job perfectly.
However, how do I implement this on the new architecture?

#4 Bug
I found that this is a specific bug on MV1000 Brume (no WiFi) with 4.3.6: GoodCloud connection is not working at all. No logs, no errors. On my other routers it works with 4.3.6.

Thanks.

hansome · August 7, 2023, 12:45pm

#1 leak:

We recently fixed a DNS leak issue while the system booting. It’s a very short-time DNS query from non-VPN interface. What Proxy Mode do you use for testing IP leaks?
One thing to note is “Allow Access WAN” should be turned off to prevent leaks under the current design(we’d change that is firmware 4.5 or 4.5).

#2 leak

What’s the purpose of this setting? How about changing type “link” to “global”

#3 Lack
“Don’t use VPN for router processes” is by default, set by the following option:

#4 Bug
Could you please PM me your MV1000’s MAC address and SN? I can do some checks.

Russell · August 7, 2023, 1:34pm

Thanks for your response!

Yes, it is a small leak, 3-5 pings, but leak =)
It happens in any Proxy Mode. But 100% on the boot, as for changing VPN it happens from time to time. This also 100% happens when mwan3 changes the interface.

Is it possible to get firmware 4.5 for my MV1000?

My main idea was to send traffic from MV1000 apps without VPN, when all others interfaces use VPN. Yes I have tried global and it is the same. The only way to prevent it is to put route with 128.0.0.0/1 that points to same VPNs as 0.0.0.0/1.

This point is the most important for me.

I can confirm you that with my MUDI this option works in this way: router send traffic via VPN and goodcloud shows clean IP.

But, I wish my router send traffic without VPN for internal apps and whole openwrt system, while VPN works for other interfaces. I would achive the same behavior like it was with v3.0.

Is it possible?

Thanks!