DD-WRT – Block Traffic When the VPN Conection Fails

I did a bunch of research and testing and found a solution for a hardware like kill switch within DD-WRT. This is where you want to basically block traffic when the VPN conection fails or gets blocked for many reasons.

This was some of the things I tested for:

1. When the OpenVPN process dies all LAN/wireless traffic will not leak to the WAN port and bypass the VPN tunnel.
2. When the router boots up LAN/wireless traffic will not leak to the WAN port and bypass the VPN tunnel.
3. When OpenVPN is blocked downstream, ex. blocking UDP 1194, LAN/wireless traffic will not leak to the WAN port and bypass the VPN tunnel.
4. Unplugging/plugging any port on the router will not cause LAN/wireless traffic to leak to the WAN port and bypass the VPN tunnel.

I use a regular router, router #1, downstream (Fios router from Verizon) and use DD-WRT, router #2, only when I want to use the VPN. I connect the WAN port of the DD-WRT router into the LAN port of the Fios router. I then manually connect devices which I want to use the VPN into the LAN ports OR associate them with the wireless AP in the DD-WRT router.

If you only wanted to use one router and not two as I have described above, then you would need to use a policy based solution where some devices would tunnel over the VPN and other you could selectively allow to bypass the VPN. See my comments at the very end for this solution.

These are the firewall commands I added to my WZR-HP-G300NH v1┬árouter (ADMINISTRATION – COMMANDS):

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o eth1 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Make certain you click “Save Firewall”.

The last line is a duplicate from the OP, but doesn’t seem to cause any issue. I also own a whr-g54s which required the same above command, but eth1 was replaced with vlan1. Each router will have different interfaces, so these firewall commands might be different for your router. You can use the route command to see what interfaces you have.

This is where I found this information: https://airvpn.org/topic/4287-how-to-block-all-traffic-with-dd-wrt-if-vpn-connection-fails/

For a policy based solution where you want to allow some machines to go around the VPN, go here: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=777788

 

I double posted this on PIA forums:

https://www.privateinternetaccess.com/forum/discussion/comment/22021/#Comment_22021

Leave a Reply