Have read the forums posts on this subject but wanted to ask anyway… has anyone created a killswitch based on iptables installed into the plugins under OpenWrt?
Is that what under Global Options/Block non-VPN traffic is considered? A version of a killswitch?
I would not call it a killswitch but it works like that, yes.
Why wouldn’t you? ‘Lockdown mode’, ‘killswitch’ is synonymous w/ ‘block non-VPN traffic.’
… to what degree they’re effective is a very different story. I suppose we can thank our Big Tech overlords for that one:
An ongoing security audit of our app identified that Android leaks certain traffic, which VPN services cannot prevent. The audit report will go public soon. This post aims to dive into the finding, called MUL22-03.
In my opinion an killswitch will be an active process monitoring the connection and killing traffic as soon as there is an problem. From my point of view the „monitoring“ part is missing here.
And, more important: A killswitch would support split tunneling. „Block non-VPN traffic“ does not.
So would a ping routine to a known host that kills the client interface on timeout qualify? If so I don’t see much of a difference in using WG’s
persistent keepalive directive, provided the VPN provider doesn’t do some sort of throttling of such packets, of course.
It’s an interesting question given WG is a stateless protocol.
(Meh; I disagree on split-tunnelling but I can see how it has its uses.)
Unfortunately you have to use it in certain situations.
Yeah, no doubt. I’m more of a proponent of PBR though:
Afaik VPN policy will utilize PBR.
At least they routes are stored at the same place and can be edited by luci PBR plugin.
Yup; it also allows preloading ASNs… something VPN split tunnelling doesn’t do. You should give it a punt!