Killswitch + VPN policy

Technical Support for Routers VPN, DNS, Leaks
1

Hello,

My configuration:
GL-AX1800 Firmware V4.2 release3 Stable
Network Mode Router - WAN over WLAN (Repeater)
Wireguard VPN Client
Global Options → Block Non-VPN Traffic = (Killswitch active)

From my tests and the posts from this forum it seems that you can’t use VPN Policy Modes when the Killswitch is active!
For example, if you set the Policy Mode: Based on the VLAN → VLAN private “disable VPN”, the traffic of a private client is no longer routed through the VPN. Unfortunately, the client then also no longer has a connection to the WAN (Internet)!
Is it possible to influence this in LUCI or in the config files somehow.

Likewise, it is not possible to access a NAS in the WAN subnet when the killswitch is active. Here I added the following crutch as firewall - traffic rules. No idea if this is smart?
config rule
option target 'ACCEPT
list dest_ip ‘192.168.2.0/24’
option dest 'wan
option src 'lan
option name '#Allow LAN->WAN
list src_ip ‘192.168.8.0/24’ option direction 'in
option direction 'in
option device 'br-lan

Basically everything would work quite well if you don’t use a killswitch. But without a killswitch you can never be sure that the VPN necessary clients are running over VPN?
With the firmware V3.xxx you could still use the VPN policy and killswitch at the same time.

I am of the opinion that here is still something to do. Are there other possibilities?

2

If this works, then it’s okay.
Your rule and the rule(when VPN is on)

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '0'

will have an order to be added to the firewall, you may adjust that accordingly.

Actually, when you enable VPN, the traffic will always go via VPN. There was a bug when VPN is offline, but DNS will still go in some scenarios which has been fixed in firmware 4.2.

The killswitch is there to ensure when you turn off VPN, you will not get Internet for router clients.
So if you always turn on VPN, you can turn off the killswitch without adding the extra rules to access WAN-side devices.

4

Unfortunately, I do not quite understand what they want to say. Surely it is because of the translation.

…config forwarding … is listed in the file …/etc/config/firewall. If you enable “Allow Access WAN” with disabled killswitch then “option enabled” changes to “1”.

config forwarding
option src 'lan
option dest 'wan
option enabled '1

Do you think I should set the option enabled ‘1’ when the killswitch is enabled?
Is it possible to configure …config forwarding … somehow/somewhere in LUCI or only in the …/etc/config/firewall file?

I ran two tests with the following configuration:
Test 1:
VPN Client Global Options:
Block Non-VPN Traffic = off
Allow Access WAN = off
Services from GL.iNet Use VPN = off
VPN Global Proxy = on
WireGuard Client = on

Now I have started a simple ping on a Router Client (private LAN) and switched from WireGuard Client A to B. The screenshot shows an interruption of the connection to the Internet.
grafik

Test 2:
VPN Client Global Options:
Allow Access WAN = on

Here the connection is apparently not interrupted!
grafik

Conclusion: With “Allow Access WAN = on” and “Block Non-VPN Traffic=off” the router client is not exclusively on the Internet via VPN. Exactly for this case a killswitch would be necessary?

5

Sorry I misunderstood your needs. I confuse the rules of vpn server and client.

Just add the following firewall rule to allow access wan(directly connected) in luci. 192.168.10.0/24 is the example wan network range. This rule has high priority whether the killswitch is on or off it will work.

image
image896×600 23 KB

6

Thanks again for your quick replies.

Basically your suggestion about the “firewall - traffic rules” is exactly my solution from the 1st post.

So far this works quite well.
The internet connection is also disconnected on a wireguard server change (killswitch ping test), unlike “Allow Access WAN = on”.

Can you also give me a solution how I can now access a NAS network drive in the WAN network. Via the web client of the NAS I can establish a connection. About the Windows Explorer - network unfortunately not (smb).

7

What’s your NAS IP network address, and how about GL-AX1800’s LAN and WAN IP?
I thought the current config was already able to access NAS.

8

GL-AX1800 Network: 192.168.8.0/24
WAN subnet 192.168.2.0/24
WAN IP of the GL-AX1800: 192.168.2.20
NAS on subnet: 192.168.2.250

Access to NAS local via web browser https://192.168.2.250:xxxx works.
Ping and tracert do not work:
grafik

Network access to WAN subnet with Windows Explorer does not work!

9

How about add Protocol to allow TCP & UDP & ICMP?

10

I thought I did that with the traffic rule?

grafik
grafik858×212 13.6 KB

11

That’s a bit weird. Send me this debug info. By PM or here both okay.

12

I have found at least the problem with the Ping/Tracert to the NAS! It is due to the integrated firewall of the NAS.

There remains only the problem that no clients (also other devices) from the WAN subnet are shown in Windows Explorer under Network and thus I can not create a network drive (NAS).
Somehow something is still missing between the LAN (192.168.8.0/24) and WAN (192.168.2.0/24) subnets. NAT or routing … Here my understanding is unfortunately at the end.
ipt.zip (21 KB)

13

There’s no problem with this ipt.zip. So you may need to add some port forward rules, to allow NAS discovery traffic map from LAN to WAN.

14

Can you please explain this in more detail.
As already mentioned, it affects not only the NAS but all devices in the WAN subnet.

When I refresh the network view in Windows Explorer, the following telegrams are generated.

Recording Wireshark:

grafik
grafik983×232 18.4 KB