I have an ASUS N66U

I have configured the WAN interface to use a VPN Client to connect to a 3rd party VPN Server, so that all NAT LAN connected device traffic is routed through the 3rd party VPN server.

But if the 3rd party VPN server goes down, or the connection is otherwise lost or broken, the Asus N66U will route directly from the WAN connection using e.g. my ISP.

How can I stop my Asus N66U from routing any traffic on the WAN port if the VPN connection is down?

  • @[email protected]
    link
    fedilink
    English
    21 month ago

    At the very least you will need to allow it to route VPN traffic on that port, otherwise your VPN connection won’t work and/or won’t be re-established.

    • @jayboneOP
      link
      English
      11 month ago

      I want it to drop all connections if it is not on the vpn.

      • @[email protected]
        link
        fedilink
        English
        11 month ago

        It can never be on the VPN if the outer, encrypted VPN packets are not allowed on the connection. I mention it because it is one of the more complex bits to handle about your requirement, depending on if you always connect to the same IP via VPN or need to connect to a dynamic peer, possibly one you need to look up via DNS first.

        • @jayboneOP
          link
          English
          130 days ago

          The router will need to look up the IP address of the vpn server using DNS. None of the other clients on the LAN should be doing that. Point is I only want the other client devices to have access to the outside world if the VPN is connected. If it is somehow disconnected, I don’t want those other LAN client devices to access the internet.

          • @[email protected]
            link
            fedilink
            English
            129 days ago

            Ah, so you don’t care about software running locally on the router being able to access things without the VPN but do care if routed traffic does? You might also want to consider if the router offers services like a caching DNS server, a HTTP or SOCKS proxy,… that might look like local traffic to the network layer because a local process initiates connections at the instruction of some other system.

  • @[email protected]
    link
    fedilink
    English
    2
    edit-2
    1 month ago

    I accomplished this by setting a firewall rule to block all outbound traffic on that interface except to the VPN and the LAN.

    • @jayboneOP
      link
      English
      130 days ago

      Thanks! That makes sense. I’ll give this a try.

  • @jayboneOP
    link
    English
    18 days ago

    To answer my own question, in the hope that maybe it helps someone else…

    So I tried

    • openwrt
    • dd-wrt
    • tomato
    • merlin

    Finally I found Merlin. Merlin let me configure OpenVPN with a .ovpn file.

    There is an option “Redirect Internet Traffic” you can set to “Policy Rules”

    You can use CIDR notation to specify all client IPs on the subnet, e.g. 192.168.1.0/24, destination 0.0.0.0

    And you can select “Block routed clients if tunnel goes down”

    See also: https://www.snbforums.com/threads/vpn-what-does-redirect-internet-traffic-all-do.56145/

    Also search for: killswitch