1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Internet kill switch if VPN disconnects or is stopped for Shibby Tomato

Discussion in 'Tomato Firmware' started by Rockstead, Nov 14, 2013.

  1. Rockstead

    Rockstead Reformed Router Member

    So I almost have the perfect setup setup for my Linksys E4200.

    I'm using selective bypass for VPN connection, so specific IPs will bypass the VPN. http://www.linksysinfo.org/index.php?threads/any-way-to-bypass-vpn-selectively.33468/page-3

    The only thing I'm missing is a kill switch for when the VPN goes down or if the VPN service is stopped, I would like there to be no Internet activity.

    Has anyone created a script like that? Or can the selective bypass be modified to include it, or maybe a new script?

    Specifically I'm using this script from the above thread
    http://pastebin.com/download.php?i=sxzipj0v
     
  2. Emmet

    Emmet Reformed Router Member

    I think I am looking for the same thing -- a kill switch for when the VPN is not connected , there should be no internet connectivity. I do not need the selective bypass though.

    Did you or anyone else ever find a way to do a kill switch for VPN?
     
  3. eibgrad

    eibgrad Addicted to LI Member

    iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP

    For selective bypass, you could futher qualify this command w/ those ip addresses:

    iptables -I FORWARD -i br0 -s <ip-address> -o `nvram get wan_iface` -j DROP
     
    Last edited: Mar 14, 2014
    JohnnyPrimus likes this.
  4. Bird333

    Bird333 Network Guru Member

    These rules just stop traffic going out of the WAN but they are not contingent on the VPN being down. I don't really know anything about scripts but maybe you can come up with something that periodically checks if the VPN is up and if it is not then insert iptables rules to block traffic.
     
  5. eibgrad

    eibgrad Addicted to LI Member

    Why do these rules need to be contingent on the state of the VPN? The rules only purpose is to dictate who can and can’t use the WAN (either everyone can, only some can, or no one can). That remains the same, regardless of the state of the VPN. The state of the VPN is only relevant to those who are denied access to the WAN (not a good day for them if the VPN is down).

    IOW, if your IP is denied access to the WAN, you had better hope the VPN is up and running. For everyone else, you can use either the WAN or VPN.

    What am I missing?
     
    Last edited: Mar 14, 2014
  6. Bird333

    Bird333 Network Guru Member

    The OP said he wanted it to be based on the state of the VPN unless I misunderstood his desire.
     
  7. eibgrad

    eibgrad Addicted to LI Member

    I still don't get it. Makes no sense. Again, the state of the VPN is irrelevant. If the VPN is up, these clients should be forced over the VPN. If the VPN is down, they shouldn't be allowed over the WAN. The OP is going to have to explain why what I've proposed is insufficient.
     
  8. JohnnyPrimus

    JohnnyPrimus LI Guru Member

    Thanks. This cleared up the last bit of this project for me. This also seems like it does exactly what OP is looking for, especially with selective source ips.
     
  9. Rockstead

    Rockstead Reformed Router Member

    Hi, easy to explain. I have Satellite receivers /and Netflix that are in a region outside USA but they must have a USA IP, which is where the VPN comes in to play.

    It is important that the receivers don't have an Internet connection if the VPN service is physically down (could get banned), other devices such as Netflix can fallback to ISP.

    I use the bypass for devices that I don't want to use the VPN at all.

    So something that would be able to do all that.
     
  10. TomatoUSB

    TomatoUSB New Member Member


    Where do I add "iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP" in tomato?
     

Share This Page