OpenVPN Client Killswitch

[Amanaki]

Hi all,

May seem like a simple question but I would really appreciate some help with this post I created many weeks ago.

https://forum.opnsense.org/index.php?topic=10533.msg48173#msg48173

In simple terms, I need to stop any traffic from being routed to the clearnet if my VPN client connection fails or drops out for some reason.

Any help would be greatly appreciated please.

Thanks,
Amanaki

[abalsam]

In theory you can do this with firewall rules.  I do however have a few more specific questions for you.

1.  Are you looking to restrict a single host to VPN only or the entire network? - the answer to this question would determine what rules to use.
2. Do you establish VPN connectivity via an IP address or a hostname (which must be resolved via DNS)?  - the answer to this question would determine if DNS should be included or excluded from the kill switch (if I need DNS working to resolve my VPN hostname I can't include it within the kill switch).

I would also suggest looking into DNS encryption as normal DNS is in plain text and gives your ISP insight into where you are going (unless DNS is forced through VPN).

Please advise.

Thanks

[Amanaki]

Hi abalsam,

1.  Are you looking to restrict a single host to VPN only or the entire network? - the answer to this question would determine what rules to use.

My setup includes LAN and a number of VLANS. I have three VPN clients running. Only two networks require clearnet WAN access. All others are VPN connected and I want none of them to pass traffic to the clearnet if any of the connections drop.

Do you establish VPN connectivity via an IP address or a hostname (which must be resolved via DNS)?  - the answer to this question would determine if DNS should be included or excluded from the kill switch (if I need DNS working to resolve my VPN hostname I can't include it within the kill switch).

I use ExpressVPN and use hostnames for connections which as you pointed out, require DNS resolution.

On the note of DNS, I am using DNScrypt-proxy with unbound.

Also, my NAT, I have changed it to manual and have tried to jimmy a killswitch using NAT but I am not sure if it does anything. I enclosed a screenshot for you.

Thanks for helping :-)

[abalsam]

so you are running 3 openvpn client instances on the opnsense server and routing to them via NAT?  It also sounds like you have one network that you do not route through the VPN is that correct?

[Amanaki]

Yes, that is right.

I have two networks (VLAN40 + VLAN10) for my teenage boys whom game a lot. It has UPnP for gaming and all so I just isolate them and allow all traffic to WAN directly through ISP.

[abalsam]

first, I am reading through an older thread on a similar issue https://forum.opnsense.org/index.php?topic=4979.msg25066#msg25066.  Yes it is a bit dated but it has interesting suggestions.  The other thing I would try is on the firewall rules for the VLans you are trying to secure, I would try adding floating rules (outbound from the firewall) blocking all traffic that is not being routed through the appropriate gateway.  In theory if you do one floating rule per VLAN/VPN denying everything that is unexpected, I believe it would function as a kill switch.

Worth testing.

[Amanaki]

Hey thanks. I looked at the previous thread and I noticed a lot of people had issues with it. Also, it does not make any mention of unbound and dnscrypt-proxy either so I wonder if it is a viable option to pursue for my use case.

Regarding your suggestion of floating rules, I do not have not experience with using floating rules at this point, do you have a sample I could refer to or something at least to help get me started in the right direction?