KILLMON KILLMON v1.1.2 -Feb 29, 2024- IP4/IP6 VPN Kill Switch Monitor & Configurator (Now available in AMTM!)

[Viktor Jaep]

yes

Okeydokey then!

 

[el_pedr0]

Hey, I'm a bit confused - most likely because there might be two different modes of killswitch operation in the two streams of firmware. I've got an RT-AC68U, so am stuck on 386.14_2. It seems to me that the kill switch functionality in that version is still of the type described in the changelog:
- Manually stopping a client will remove the kill
switch. It will now only be applied at boot time
(if client was set to start at boot), or if the
tunnel is disconnected through a non-user event

But from the tail end of this thread, it sounds like the kill switch for those of you on 388 acts in a much more conservative/cautious manner - ensuring that clients can access the internet *only* via the VPN tunnel, regardless of whether it was a manual user intervention or otherwise.

Have I understood things correctly?
Is there any hope that the updated kill switch functionality will be brought across to the 386 stream as one last parting gift before we're left north of the wall?

 

[jsn2233]

hi so am i right in saying you can't block for multiple, single ip4 addresses? paranoid mode seems the most useful if im honest. one single ip doesn't do much and a range doesn't work on guest networks. I'm even finding it doesn't work on guest networks at all specifically has no effect on yazfi. Tbh yazfi seems to have a killswitch for any guest routed through vpn anyways. great script though!

Edit: how likely am i to run into issues where the killswitch fails for technical reason? I use a service that requires only one IP address otherwise I get banned. If it's likely it will shut down at an inopportune moment and IPs will change I think I might use YazFI for this as it shuts the internet down right away when vpn is tunneling. at least until you get the next release going with the 60 second checks

 

[Viktor Jaep]

hi so am i right in saying you can't block for multiple, single ip4 addresses? paranoid mode seems the most useful if im honest. one single ip doesn't do much and a range doesn't work on guest networks. I'm even finding it doesn't work on guest networks at all specifically has no effect on yazfi. Tbh yazfi seems to have a killswitch for any guest routed through vpn anyways. great script though!

Thanks... You can only block a single IP4 address, or a range of addresses (on the same subnet), or everything. I believe if you use CIDR notation, you would be able to extend a range beyond just a single subnet range... but I have personally never tried it with YazFi. Use at your own risk and test.

So this script is probably going to just get phased out since the functionality built within Merlin's VPN interface will take over for it, since it takes care of most people's issues.

Edit: how likely am i to run into issues where the killswitch fails for technical reason? I use a service that requires only one IP address otherwise I get banned. If it's likely it will shut down at an inopportune moment and IPs will change I think I might use YazFI for this as it shuts the internet down right away when vpn is tunneling. at least until you get the next release going with the 60 second checks

Like mentioned above, you might have better luck just using the killswitch functionality you find under the VPN section in the Merlin UI. I found that iptables rules can get overwritten when making simple updates to Skynet or other scripts that update the iptables... which then throws KILLMON out of whack, and would require KILLMON to refresh its rules on top of these changes.

I had planned to build something into KILLMON to frequently check for rule changes to make corrections if something goes south, but I'm probably going to just discontinue this project at this point.

If there's a huge outcry, I might reconsider... but seeing this is probably easily taken care of with built-in killswitch functionality, I'll won't lose any sleep over this.

 

[jsn2233]

Ahhh fair, sucks to see you move away from this but I guess everything has to die at some point! crappy thing is running the latest firmware for my equipment, 386.14, with the killswitch activated doesn't do a thing for me when the vpn disconnects. so in reality I might still have to use killmon sparingly.

Could also look to eventually upgrade equipment but not so sure I'd care to do it only for the killswitch.

 

[SomeWhereOverTheRainBow]

Thanks... You can only block a single IP4 address, or a range of addresses (on the same subnet), or everything. I believe if you use CIDR notation, you would be able to extend a range beyond just a single subnet range... but I have personally never tried it with YazFi. Use at your own risk and test.

So this script is probably going to just get phased out since the functionality built within Merlin's VPN interface will take over for it, since it takes care of most people's issues.



Like mentioned above, you might have better luck just using the killswitch functionality you find under the VPN section in the Merlin UI. I found that iptables rules can get overwritten when making simple updates to Skynet or other scripts that update the iptables... which then throws KILLMON out of whack, and would require KILLMON to refresh its rules on top of these changes.

I had planned to build something into KILLMON to frequently check for rule changes to make corrections if something goes south, but I'm probably going to just discontinue this project at this point.

If there's a huge outcry, I might reconsider... but seeing this is probably easily taken care of with built-in killswitch functionality, I'll won't lose any sleep over this.

@Viktor Jaep No need to lose sleep, but you are welcome to keep using that wonderful pioneering innovating spirit you got . Remember you got all of our support; after all, it is furniture that keeps this place lively! And anytime you get stuck, there are plenty of us who are willing to lend a hand.

 

[Viktor Jaep]

Ahhh fair, sucks to see you move away from this but I guess everything has to die at some point! crappy thing is running the latest firmware for my equipment, 386.14, with the killswitch activated doesn't do a thing for me when the vpn disconnects. so in reality I might still have to use killmon sparingly.

Could also look to eventually upgrade equipment but not so sure I'd care to do it only for the killswitch.

Not knowing what router model you're on, but being on the 386.14x track certainly means you don't have much time left there either. Sounds like it might be on the EOL list (https://www.asuswrt-merlin.net/about).

KILLMON will continue working just fine as long as the iptables rules aren't being interfered with. So if your environment is relatively stable from experimentation, then you should be fine.

 

[Viktor Jaep]

So after a few cups of coffee later -- thanks for the brainworms @jsn2233 and @SomeWhereOverTheRainBow , I think I'm going to reverse my stance... I've been looking for something to do after I'm done with my studies here hopefully pretty soon, so I will look at modernizing KILLMON with a bunch of new features. KILLMON was a fun project for me, and as it now seems to fall in my area of personal/professional interest, I feel a bit drawn to it. I believe it will help compliment and provide some alternatives compared to what is currently available in Merlin, and gives you a bit more control over what exactly you want to block.

This is what's on my to-do list... let me know if you or anyone else has any wishlist items when I get ready to revamp it.

Planned Enhancements
--------------------
* Allow for multiple ranges/single IPs (user-defined)
* Use a short loop to determine if killswitch rules are in place, if not, re-apply rules to minimize exposure
* Update UI per the new standards
* AMTM Email integration/notifications when killswitch activates/deactivates? (optional)

 

[jsn2233]

So after a few cups of coffee later -- thanks for the brainworms @jsn2233 and @SomeWhereOverTheRainBow , I think I'm going to reverse my stance... I've been looking for something to do after I'm done with my studies here hopefully pretty soon, so I will look at modernizing KILLMON with a bunch of new features. KILLMON was a fun project for me, and as it now seems to fall in my area of personal/professional interest, I feel a bit drawn to it. I believe it will help compliment and provide some alternatives compared to what is currently available in Merlin, and gives you a bit more control over what exactly you want to block.

This is what's on my to-do list... let me know if you or anyone else has any wishlist items when I get ready to revamp it.

Planned Enhancements
--------------------
* Allow for multiple ranges/single IPs (user-defined)
* Use a short loop to determine if killswitch rules are in place, if not, re-apply rules to minimize exposure
* Update UI per the new standards
* AMTM Email integration/notifications when killswitch activates/deactivates? (optional)

Glad you're back on the KILLMON saddle! I know it's addicting pumping out new features for your own tech and I look forward to test driving it myself

 

[Viktor Jaep]

Glad you're back on the KILLMON saddle! I know it's addicting pumping out new features for your own tech and I look forward to test driving it myself

Thanks for volunteering to test when it comes time!