VPN internet killswitch leaks

deepwater · 2021-02-06T12:51:26.379Z

Hi, I realized that the internet killswitch in my GL-MT300N-V2 Mango leaks. At least I can clearly diagnose a DNS leak. How? From the logs of my DNS server I can clearly show that DNS requests from the routers LAN are forwarded to WAN so they are not blocked by the killswitch. When does it occure? Everytime the router boots and when you disconnect from the VPN server via the web UI (the GL iNet not luci). I did not perform actual network sniffing to check if there are also further leaks but for me no leak at all is accetable. As soon as you are connected to the VPN server there are no more DNS leaks.
For me it turns out that the killswitch is not working at all. The only purpose of an internet killswitch is to block internet access when there is no VPN tunnel active, right?
I would appreciate it if you could fix that. Thanks!
I am using v3.105

Edit: I can clearly see in the DNS servers log that it forwards the DNS requests from LAN to WAN before it establishes the VPN tunnel because requests for the VPN servers hostname are shown later in the log.

alzhao · 2021-02-10T04:06:11.220Z

So the idea is to block all dns when vpn is not enabled?

In that case, all browser will display dns not found

deepwater · 2021-02-10T07:29:39.821Z

My idea of the killswitch is that not one bit is forwarded from LAN to WAN as soon as the VPN tunnel is not working. This includes DNS requests, yes. It’s ok if the browser will display DNS not found. When there is not internet access (I think thats what the killswitch is designed for) a DNS access doesn’t have any advantage in my understanding because you won’t be able to reach the IP adress which is servered by the DNS server. I would clearly name it a leak because it means that you are “vunerable” as the DNS server operator can simply tell which hostnames you are requesting.
I didn’t check the actual data traffic of the WAN port for IP communication besides DNS requests with a sniffer. But I don’t even want DNS requests to leak in the internet thats why I didn’t sniff the WAN port yet. If it possible to block DNS requests with the killswitch I will probably check that as well.
Feel free to correct my if my understanding or estimations are wrong regarding the killswitch functionallity.

alzhao · 2021-02-10T08:18:46.012Z

OK. I just filed a bug internally.

0496bc97ab · 2021-07-28T09:27:48.130Z

Killswitch, for example, does not block checking for gl.inet firmware updates, maybe that’s why?

alzhao · 2021-07-28T09:33:02.413Z

0496bc97ab:

does not block checking for gl.inet firmware updates

Pls note, Killswitch does not block the router itself to use the Internet. It blocks the clients to use the Internet. So the router can find firmware update and this is normal.