What's new

KILLMON KILLMON v1.1.2 -Feb 29, 2024- IP4/IP6 VPN Kill Switch Monitor & Configurator (Now available in AMTM!)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

As I understand it, a client under killmon cannot access WAN for some local services (with VPN director) while connected to VPN. For example the local IP TV service. Even if this is not possible, it is still a very good job, thank you! đź‘Ź
 
As I understand it, a client under killmon cannot access WAN for some local services (with VPN director) while connected to VPN. For example the local IP TV service. Even if this is not possible, it is still a very good job, thank you! đź‘Ź
It actually doesn't matter if you're running a VPN or not. If you have enabled killmon, it will block all traffic going out through the WAN for the specific IP address, IP range, or even all local IPs on your network... Once a VPN connection becomes available, traffic would flow again. If you need certain devices to get out no matter what, I would probably utilize the range feature, so you can exclude some (like the Local IP TV service) from getting onto the WAN if your VPN goes down.
 
Does anybody use KILLMON in IP Range mode with different subnests network like /21 ? For some reason it doesn't work in my environment with KILLMON, so I want to see if this scenario is foreseen and is more related to my enviroment.

My subnet mask is 255.255.248.0 or /21 so I am using 192.168.1.1-192.168.4.254 for WAN connection and IP range devices 192.168.5.1-192.168.5.253 for VPN connection. With kill switch script (by @eibgrad) and with the VPN director configured for the above scenario it works fine.

Thanks
 
Asus routers only support /24.
 
Does anybody use KILLMON in IP Range mode with different subnests network like /21 ? For some reason it doesn't work in my environment with KILLMON, so I want to see if this scenario is foreseen and is more related to my enviroment.

My subnet mask is 255.255.248.0 or /21 so I am using 192.168.1.1-192.168.4.254 for WAN connection and IP range devices 192.168.5.1-192.168.5.253 for VPN connection. With kill switch script (by @eibgrad) and with the VPN director configured for the above scenario it works fine.

Thanks
Unless someone chimes in otherwise... from what I've been able to find with iptables, if you use the IP - IP notation, it seems like it can only be within a /24. However, if you go with CIDR, then it looks like you could go beyond the /24, as I've seen examples of /16 and whatnot.
 
Customary update to bring KILLMON's versioning alongside my other scripts and remove VPNMON-R2 integrations... Again, I have created a "develop" branch on Github in case anyone wants to contribute to the project as I recently did with VPNMON-R3 and BACKUPMON. I do have some plans for KILLMON in the future, and make it much more flexible, being able to handle multiple ranges, IPs, etc... so stay tuned! :)

What's new?
v1.1.2 - (February 29, 2024)
- MINOR:
Removed integration with VPNMON-R2, and all references to it in the code. As VPNMON-R2 has been sunset, there are currently no plans of integrating any KILLMON indicators into VPNMON-R3. May look at building some killswitch functionality into R3 in the future.
- PATCH: Changed the versioning logic to align with the general accepted way of versioning, using the notation: major.minor.patch ... finally, right? After seeing @thelonelycoder changing his ways, I figured it was probably time for me as well. All my scripts moving forward will go this route. Change log wording is now changed to conform to the major/minor/patch standards. So previously, FIXED now conforms to PATCH, ADDED conforms to MINOR, and MAJOR stays the same!
- PATCH: Fixed some of the look/feel of the interface, and brings it in line with some of my other tools, such as BACKUPMON, WXMON and RTRMON.

Download link (or update directly within AMTM or KILLMON itself):
Code:
curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/KILLMON/master/killmon.sh" -o "/jffs/scripts/killmon.sh" && chmod 755 "/jffs/scripts/killmon.sh"

Significant Screenshots:

Vanilla KILLMON v1.1.2! :)
1709260886036.png
 
I do have some plans for KILLMON in the future, and make it much more flexible, being able to handle multiple ranges, IPs, etc... so stay tuned!
That's good news for the people who think a killswitch should be exactly what it says..
Glad to have KILLMON now.
I had a rule in the firewall-start script, this is about the same but more convenient.
And if you are able to combine a range with a single ip adress it would be still more awesome.
Thanks
 
That's good news for the people who think a killswitch should be exactly what it says..
Glad to have KILLMON now.
I had a rule in the firewall-start script, this is about the same but more convenient.
And if you are able to combine a range with a single ip adress it would be still more awesome.
Thanks
That's the plan... for multiple ranges, multiple single IPs, mix of both, IPv4/IPv6... should be awesome when completed! :)
 
KILLMON v1.1.2
Released February 29, 2024

Executive Summary: KILLMON is a shell script that provides additional VPN kill switch capabilities outside of the VPN kill switch functionality that is currently integrated into the Asus-Merlin Firmware. KILLMON builds on the excellent kill switch script originally provided by @eibgrad, and provides a user interface to help monitor, enable, or disable kill switch operations, as well as allowing you to choose how to implement the kill switch for both IP4 and IP6 traffic. Currently, KILLMON provides traffic kill modes for 3 different scenarios...
  1. Paranoid mode - All LAN traffic is forbidden from using the current WAN interface
  2. IP Range mode - All LAN traffic within specified IP Range is forbidden from using the current WAN interface
  3. Single IP mode - All LAN traffic on specified IP is forbidden from using the current WAN interface
In each instance, a valid VPN tunnel must be up and running for traffic to make it out to the internet, preventing any possible traffic leaks while a VPN tunnel is down, thus the necessity for a kill switch.

IMPORTANT NOTE: Many VPN kill switches do not consider IP6, or recommend just completely disabling IP6 on the router itself. KILLMON may very well be one of the first kill switches that both embraces and kills the sh*t out of unwanted IP6 traffic when your VPN connection goes down. Please note that if IPv6 is enabled on your router and are using a kill switch of any kind that does not specifically block IP6, any and all traffic that utilizes IPv6 addressing will be leaking traffic around your IP4 VPN tunnel over your WAN when it goes down.

REQUIREMENTS:
* You must have "JFFS custom scripts" turned on from the router UI, and have Entware installed (easiest way is through AMTM)

LIMITATIONS:
* There seems to be an incompatibility with the x3mrouting script. Apparently there seems to be a competition on startup. @ComputerSteve found a workaround by not enabling "Reboot Protection" in KILLMON.

KILLMON is free to use under the GNU General Public License version 3 (GPL 3.0).

This project is hosted on GitHub

Latest update notes available here

Changelog here | What's new: Now available in AMTM!, Minor fix, Initial release!

Screenshots:
Running with both IPv4 and IPv6 enabled
View attachment 47386

Running with IPv6 disabled at the router level:
View attachment 47387

IMPORTANT: A big component of any kill switch is its ability to survive a reboot and make sure rules are in place as the firewall starts back up again. The "Reboot Protection" component is just that. When enabling this, it will write a command into your /jffs/scripts/firewall-start file, and upon reboot, will populate the IP4/IP6 iptables with the necessary rules you have configured!

I'm definitely looking for your feedback... what works, what doesn't... what else would you like to see. But all-in-all, as good ideas come up for things to possibly add, very much a WIP (work-in-progress). ;)
Victor can I run the following curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/KILLMON/master/killmon-0.4.sh" -o "/jffs/scripts/killmon.sh" && chmod a+rx "/jffs/scripts/killmon.sh" from somewhere in my Asus RT-AX88u router? I am a novice

Thanks in advance
 
Victor can I run the following curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/KILLMON/master/killmon-0.4.sh" -o "/jffs/scripts/killmon.sh" && chmod a+rx "/jffs/scripts/killmon.sh" from somewhere in my Asus RT-AX88u router? I am a novice

Thanks in advance
Hi @audioquest ... The easiest thing to do is to open up an SSH command prompt, and just type:

AMTM

From there, you can find available scripts to download (press "i"), and KILLMON is one of these.

Alternatively, you could drop this command in your SSH window, and hit enter:

Code:
curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/KILLMON/master/killmon.sh" -o "/jffs/scripts/killmon.sh" && chmod 755 "/jffs/scripts/killmon.sh"
 
When I open Putty and enter AMTM , unable to open connection , host does not exist
PuTTY requires you to create a profile containing your router IP address, port and optionally router username and password. Once you've made a connection, you would be able to enter commands.

Try this
 
Last edited:
Victor, IP range in setup - 192.168.1.50-192.168.1.60 My IP range is different , using different subnet
You can change it to your needs!
 
it

is not accepting rl (define ip range) rl 192.168.11.0/24
Like this?

1709685704223.png


It's r + 1... like a one. Not an l (L)...

I might change this to make it more obvious and less prone to error in the near future...
 
Victor, IP range in setup - 192.168.1.50-192.168.1.60 My IP range is different , using different subnet
Thanks for your assistance, I just couldn't get it to work. I setup, specified ip4 range, turned off service state, still able to access internet.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top