Friday, August 4, 2017

Stopping machines from connecting to the internet when the VPN goes down on DD-WRT

VPNs are good but their connections are rarely perfect. 

Usually, when they disconnect, your router fails over back to using the unencrypted WAN connection.  This is convenient but leaves your network connection exposed, which rather defeats the purposes.  Likely little point in being protected only 99% of the time, right?

Worse, you don't even know if the VPN is off.  Everything just blithely continues on as usual.  You'll only know if you manually check.  Which is stupid.

If you're like me, there are some devices on the network where you don't really care if they keep working or not.  Perhaps there are some where you actually want them to keep working, even if the VPN stops (Netflix?).  And there are probably a couple where you want them to stop working the second the VPN goes down.

If you search you will find lots of VPN monitoring programs that purport to kill programs upon VPN disconnect.  However, not one of these will work if you've set up your VPN in your router, because they can't see the VPN at all.  All those programs can see is your router, so they cannot tell if the router has lost the VPN connection, so they cannot work as advertised. 

So, those of us who have the VPN in the router have to implement the kill switch in the router.  Fortunately, OpenVPN on DD-WRT can do this.

To prevent a machine from accessing the net when the VPN is not working:

-  Make sure the device you want to block has a static IP address
-  Go to DD-WRT home page
-  Go to Administration
-  Go to Commands
-  Paste the following command in to the "Commands" box:

iptables -I FORWARD -s <ip-address> -o $(nvram get wan_iface) -j DROP 

-  Replace <ip-address> with the static IP of the device you want to STOP working if the VPN dies.
-  Click "Save Firewall"

To delete this rule later, click the "Edit" button (which will show up after the save), delete the command and click "Save Firewall" again.

To test, go to Services/VPN and disable the OpenVPN client, then click Save and Apply Settings, in that order.  The blocked machine should lose all internet access (but not local LAN access).  Re-enable the VPN to get it back, and you're all set.

I imagine the IP address might also be a subnet range, which would make it capable of blocking a whole range of devices.  I haven't tried it.