Asus RT-AX57 Go Kill switch

[mark77]

my travel router is setup in WISP mode , all devices are going through a wireguard VPN.
I wanted to killswitch all traffic when VPN goes down.

How do I find the exact wireguard vpn process to kill via ps in order to test the current setup?

when activating the VPN I can see it is running on 42877 but the process pid is 0
/tmp/home/root# netstat -tulnp | grep 42877
udp 0 0 0.0.0.0:42877 0.0.0.0:* -
udp 0 0 :::42877 :::* -

with lsmod I can see wireguard as kernel module.
Can I test the kill switch by removing it via
rmmod wireguard
?


I am afraid that if it goes down the traffic will continue over WAN without VPN.
Is there a way to configure the router (maybe via iptables) so that no traffic is let out of the vpn when accessing the wan?


thank you

 

[eibgrad]

I'm confused. You mention a "travel router", but the RT-AX57 is NOT technically a travel router. Are we talking about some other router here besides the RT-AX57?

The WG process should be pretty obvious from a dump of the process table (using the ps command). You can kill the process based on its PID (process ID) w/ the kill command (kill ####).

In the worst case, if the GUI doesn't provide a kill switch, or you just don't trust it for some reason, you can add the following iptables command to deny all routing from the LAN to the WAN.

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br+ -o $WAN_IF -j REJECT

 

[RMerlin]

Wireguard resides in kernel space, it's not a running process.

 

[mark77]

Thank you for your answer. My new router is the model "RT-AX57 Go" I think there is also a 'non-travel' one that you mentioned without the Go suffix
I have identified the interface via
wg show
then I have taken it down via
ip link set wgc4 down

The VPN is marked "Connecting..." and I can see my traffic going out to the WAN without VPN protection.

The Asus UI for this router does not provide any kill switch option of some sort and it looks pretty simple. Unfortunately there is also no merlin firmware available like I have on my home router...
That is why I was looking at manual ip tables rules to setup to be sure no traffic goes out when I am connected via WISP on a public internet.
Very strange that asus is not offering such an option to kill the traffic on a travel router UI interface

I will try those iptable rules thanks eibgrad

 

[foz]

I'm confused. You mention a "travel router", but the RT-AX57 is NOT technically a travel router. Are we talking about some other router here besides the RT-AX57?

The WG process should be pretty obvious from a dump of the process table (using the ps command). You can kill the process based on its PID (process ID) w/ the kill command (kill ####).

In the worst case, if the GUI doesn't provide a kill switch, or you just don't trust it for some reason, you can add the following iptables command to deny all routing from the LAN to the WAN.

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br+ -o $WAN_IF -j REJECT

Can I ask, where does this Kill switch code go? Should I be logging in via SSH to add this, I don't see a terminal in ui?
Any plans to add this go router to Merlin list of routers?
Thanks

 

[eibgrad]

Can I ask, where does this Kill switch code go? Should I be logging in via SSH to add this, I don't see a terminal in ui?
Any plans to add this go router to Merlin list of routers?
Thanks

If you're using third-party firmware (e.g., Merlin, FT, DD-WRT), they always provide a means to add your own firewall rules, and make them persistent. But when using OEM firmware, that's rarely the case. I know ASUS *used* to provide a simple mechanism for executing some user-defined code (script) w/ their OEM firmware (configurable via SSH), but eventually removed the feature for security reasons.

 

[foz]

If you're using third-party firmware (e.g., Merlin, FT, DD-WRT), they always provide a means to add your own firewall rules, and make them persistent. But when using OEM firmware, that's rarely the case. I know ASUS *used* to provide a simple mechanism for executing some user-defined code (script) w/ their OEM firmware (configurable via SSH), but eventually removed the feature for security reasons.

Sadly asus stock, firmware is not available from merlin for this router as far as i am aware. I use and are familiar wit DD-WRT, this is a friend's router I've configured for him to take away with him. Great little router I must say, just sadly missing a killswitch for the vpn's.

 

[foz]

This is the asus rt-ax57go, its classed as a travel router https://www.asus.com/uk/networking-iot-servers/wifi-routers/asus-wifi-routers/rt-ax57-go/