KILLMON v1.1.2
Released February 29, 2024
Executive Summary: KILLMON is a shell script that provides additional VPN kill switch capabilities outside of the VPN kill switch functionality that is currently integrated into the Asus-Merlin Firmware. KILLMON builds on the excellent kill switch script originally provided by
@eibgrad, and provides a user interface to help monitor, enable, or disable kill switch operations, as well as allowing you to choose how to implement the kill switch for both IP4 and IP6 traffic. Currently, KILLMON provides traffic kill modes for 3 different scenarios...
- Paranoid mode - All LAN traffic is forbidden from using the current WAN interface
- IP Range mode - All LAN traffic within specified IP Range is forbidden from using the current WAN interface
- Single IP mode - All LAN traffic on specified IP is forbidden from using the current WAN interface
In each instance, a valid VPN tunnel must be up and running for traffic to make it out to the internet, preventing any possible traffic leaks while a VPN tunnel is down, thus the necessity for a kill switch.
IMPORTANT NOTE: Many VPN kill switches do not consider IP6, or recommend just completely disabling IP6 on the router itself.
KILLMON may very well be one of the first kill switches that both embraces and kills the sh*t out of unwanted IP6 traffic when your VPN connection goes down. Please note that if IPv6 is enabled on your router and are using a kill switch of any kind that does not specifically block IP6, any and all traffic that utilizes IPv6 addressing will be leaking traffic around your IP4 VPN tunnel over your WAN when it goes down.
REQUIREMENTS:
* You must have "JFFS custom scripts" turned on from the router UI, and have Entware installed (easiest way is through AMTM)
LIMITATIONS:
* There seems to be an incompatibility with the x3mrouting script. Apparently there seems to be a competition on startup.
@ComputerSteve found a workaround by not enabling "Reboot Protection" in KILLMON.
KILLMON is free to use under the
GNU General Public License version 3 (GPL 3.0).
This project is hosted on
GitHub
Latest update notes available here
Changelog here | What's new:
Now available in AMTM!,
Minor fix, Initial release!
Screenshots:
Running with both IPv4 and IPv6 enabled
View attachment 47386
Running with IPv6 disabled at the router level:
View attachment 47387
IMPORTANT: A big component of any kill switch is its ability to survive a reboot and make sure rules are in place as the firewall starts back up again. The
"Reboot Protection" component is just that. When enabling this, it will write a command into your /jffs/scripts/firewall-start file, and upon reboot, will populate the IP4/IP6 iptables with the necessary rules you have configured!
I'm definitely looking for your feedback... what works, what doesn't... what else would you like to see. But all-in-all, as good ideas come up for things to possibly add, very much a WIP (work-in-progress).