Block VPN devices when VPN is down, but still allow non-VPN traffic

[fawkesguy 0]

Hello everyone,

 

I'm running DD-WRT on x86 hardware.  OpenVPN is configured and connects to AirVPN without issue.  Here's what I'm trying to achieve:

 

All devices on my network go through my DD-WRT router and AirVPN.  Let's say I want one device on my network to bypass the VPN.  If I put 192.168.1.100 in the "Policy Based Routing" box on the OpenVPN configuration screen, that IP bypasses the VPN, as it should.

 

What I would like to do is set it up so if the VPN goes down, all VPN traffic will stop, while still allowing the non-VPN traffic through the router.  Here is what I have in my firewall:

 

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
 

Now, if I add the rule "iptables -I FORWARD -i br0 -o eth0 -j DROP" that will stop all traffic that is non-VPN.  That would be fine if I didn't want a few devices to bypass the VPN.  If I use that rule, the IP address I add in the "Policy Based Routing" box is blocked.

What rules do I need to set to allow traffic to bypass the VPN and stay up if the VPN drops, but that will also block the other clients on my network if the VPN drops?

 

I hope that makes sense.  Any help would be greatly appreciated.

 

Thank you!

[////////////////////////// 3]

You need to use vlans, and then in your firewall script replace br0 with whatever vlan you want to go through VPN

[fawkesguy 0]

You need to use vlans, and then in your firewall script replace br0 with whatever vlan you want to go through VPN

Hmmmm....that's way beyond my meager skills. If someone could point me to a Howto or walk me through it, that would be great.

[Spronky 0]

I am also struggling with vlans. I have noticed that other VPN providers provide a kind of "killswitch" in case a VPN goes down, but that looks like an inelegant solution and seems to require either a local proxy or some other software to be loaded by the client machine. I am looking for a way to do this connection blocking at a network level without affecting normal (non-you-know-what) traffic.

I have looked through LOTS of online information on the subject of vlans and am now more confused than ever.

Any help in educating my idiot self would be greatly appeciated.

Thanks,

Susi

[fawkesguy 0]

OK, I found a solution that works for me.  I have several devices that I want to bypass the VPN, and several that I want to go through the VPN.  I wanted to make sure that if the VPN connection is lost, the devices going through the VPN will be blocked, with no leaks.  Here is how I'm doing it.  First off, I'm using static DHCP leases for everything on my network.  DNS leaks are not an issue because the DNS servers are specified in DD-WRT.  IP addresses that I want to bypass the VPN are simply listed in the "Policy Based Routing" box in DD-WRT.  Here's what I have in my firewall (IP addresses and port numbers have been replaced with x's):

 

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD ! -o tun1 -s xxx.xxx.x.xx -j DROP
iptables -I FORWARD ! -o tun1 -s xxx.xxx.x.xx -j DROP
iptables -I FORWARD ! -o tun1 -s xxx.xxx.x.xx -j DROP
iptables -I FORWARD ! -o tun1 -s xxx.xxx.x.xx -j DROP
iptables -I FORWARD ! -o tun1 -s xxx.xxx.x.xx -j DROP
iptables -I FORWARD ! -o tun1 -s xxx.xxx.x.xx -j DROP
iptables -I FORWARD ! -o tun1 -s xxx.xxx.x.xx -j DROP
iptables -I FORWARD ! -o tun1 -s xxx.xxx.x.xx -j DROP
iptables -I FORWARD ! -o tun1 -s xxx.xxx.x.xx -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport xxxx -j DNAT --to-destination xxx.xxx.x.xx
iptables -t nat -I PREROUTING -i tun1 -p udp --dport xxxx -j DNAT --to-destination xxx.xxx.x.xx
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport xxxx -j DNAT --to-destination xxx.xxx.x.xx
iptables -t nat -I PREROUTING -i tun1 -p udp --dport xxxx -j DNAT --to-destination xxx.xxx.x.xx
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport xxxx -j DNAT --to-destination xxx.xxx.x.xx
iptables -t nat -I PREROUTING -i tun1 -p udp --dport xxxx7 -j DNAT --to-destination xxx.xxx.x.xx
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport xxxx -j DNAT --to-destination xxx.xxx.x.xx
iptables -t nat -I PREROUTING -i tun1 -p udp --dport xxxx -j DNAT --to-destination xxx.xxx.x.xx
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport xxxx -j DNAT --to-destination xxx.xxx.x.xx
iptables -t nat -I PREROUTING -i tun1 -p udp --dport xxxx -j DNAT --to-destination xxx.xxx.x.xx

 

So those "DROP" lines are the machines that are going through the VPN.  They are forced to use tun1.  If tun1 is unavailable (if the VPN disconnects), any packets from those addresses are dropped.  It probably isn't the most elegant solution, but it works perfectly.