Killswitch

Have read the forums posts on this subject but wanted to ask anyway… has anyone created a killswitch based on iptables installed into the plugins under OpenWrt?

Is that what under Global Options/Block non-VPN traffic is considered? A version of a killswitch?

I would not call it a killswitch but it works like that, yes.

Why wouldn’t you? ‘Lockdown mode’, ‘killswitch’ is synonymous w/ ‘block non-VPN traffic.’

… to what degree they’re effective is a very different story. I suppose we can thank our Big Tech overlords for that one:

In my opinion an killswitch will be an active process monitoring the connection and killing traffic as soon as there is an problem. From my point of view the „monitoring“ part is missing here.

—-
And, more important: A killswitch would support split tunneling. „Block non-VPN traffic“ does not.

So would a ping routine to a known host that kills the client interface on timeout qualify? If so I don’t see much of a difference in using WG’s persistent keepalive directive, provided the VPN provider doesn’t do some sort of throttling of such packets, of course.

It’s an interesting question given WG is a stateless protocol.

(Meh; I disagree on split-tunnelling but I can see how it has its uses.)

https://www.wireguard.com/protocol/#connection-less-protocol

Unfortunately you have to use it in certain situations.

Yeah, no doubt. I’m more of a proponent of PBR though:

1 Like

Afaik VPN policy will utilize PBR.
At least they routes are stored at the same place and can be edited by luci PBR plugin.

Yup; it also allows preloading ASNs… something VPN split tunnelling doesn’t do. You should give it a punt!