What's new

KILLMON KILLMON v1.1.2 -Feb 29, 2024- IP4/IP6 VPN Kill Switch Monitor & Configurator (Now available in AMTM!)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Viktor Jaep

Part of the Furniture
KILLMON v1.1.2
Released February 29, 2024

Executive Summary: KILLMON is a shell script that provides additional VPN kill switch capabilities outside of the VPN kill switch functionality that is currently integrated into the Asus-Merlin Firmware. KILLMON builds on the excellent kill switch script originally provided by @eibgrad, and provides a user interface to help monitor, enable, or disable kill switch operations, as well as allowing you to choose how to implement the kill switch for both IP4 and IP6 traffic. Currently, KILLMON provides traffic kill modes for 3 different scenarios...
  1. Paranoid mode - All LAN traffic is forbidden from using the current WAN interface
  2. IP Range mode - All LAN traffic within specified IP Range is forbidden from using the current WAN interface
  3. Single IP mode - All LAN traffic on specified IP is forbidden from using the current WAN interface
In each instance, a valid VPN tunnel must be up and running for traffic to make it out to the internet, preventing any possible traffic leaks while a VPN tunnel is down, thus the necessity for a kill switch.

IMPORTANT NOTE: Many VPN kill switches do not consider IP6, or recommend just completely disabling IP6 on the router itself. KILLMON may very well be one of the first kill switches that both embraces and kills the sh*t out of unwanted IP6 traffic when your VPN connection goes down. Please note that if IPv6 is enabled on your router and are using a kill switch of any kind that does not specifically block IP6, any and all traffic that utilizes IPv6 addressing will be leaking traffic around your IP4 VPN tunnel over your WAN when it goes down.

REQUIREMENTS:
* You must have "JFFS custom scripts" turned on from the router UI, and have Entware installed (easiest way is through AMTM)

LIMITATIONS:
* There seems to be an incompatibility with the x3mrouting script. Apparently there seems to be a competition on startup. @ComputerSteve found a workaround by not enabling "Reboot Protection" in KILLMON.

KILLMON is free to use under the GNU General Public License version 3 (GPL 3.0).

This project is hosted on GitHub

Latest update notes available here

Changelog here | What's new: Now available in AMTM!, Minor fix, Initial release!

Screenshots:
Running with both IPv4 and IPv6 enabled
killmon-1.04.png


Running with IPv6 disabled at the router level:
killmon-1.04-2.png


IMPORTANT: A big component of any kill switch is its ability to survive a reboot and make sure rules are in place as the firewall starts back up again. The "Reboot Protection" component is just that. When enabling this, it will write a command into your /jffs/scripts/firewall-start file, and upon reboot, will populate the IP4/IP6 iptables with the necessary rules you have configured!

I'm definitely looking for your feedback... what works, what doesn't... what else would you like to see. But all-in-all, as good ideas come up for things to possibly add, very much a WIP (work-in-progress). ;)
 
Last edited:

How is this script supposed to run?​

I would recommend running this script in its own SSH window from a PC that's connected directly to the Asus router. It's not meant to run continuously, as you would just run it to check on kill switch status, or to make modifications to the kill switch rules. Instructions:
  1. Download using your favorite SSH tools, copy & paste this command (-OR- download/install directly from within AMTM!):
    Code:
    curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/KILLMON/master/killmon.sh" -o "/jffs/scripts/killmon.sh" && chmod 755 "/jffs/scripts/killmon.sh"
  2. Configure it using this command:
    Code:
    sh /jffs/scripts/killmon.sh -setup
  3. Run it standalone in an SSH window with this command:
    Code:
    sh /jffs/scripts/killmon.sh -monitor
  4. To make it even easier, simply execute the script name with the commandline switch, like so:
    Code:
    killmon -setup
    -or-
    killmon -monitor
    -or you can just run by just typing in the script name itself-
    killmon
    etc...
Do I need to configure anything?

You can enter the setup screen with the command 'killmon.sh -setup' or by hitting the "s" key in the main UI:
killmon-0.3-setup.jpg


First time setup will guide you on installing any Entware dependencies. Enjoy! Stay safe!! :)
 
Last edited:
So this is working great !! The only thing is for me that using this with x3mrouting seems to only work when I don't enable reboot protection - Reboot Protection" component is just that. When enabling this, it will write a command into your /jffs/scripts/firewall-start file, and upon reboot, will populate the IP4/IP6 iptables with the necessary rules you have configured!

If I leave this feature disabled & instead use a bad config on client 5 with auto start enabled at boot it functions perfectly. Meaning if I stop a client now the kill switch is on and the devices in the range I configured in your script cant connect to wan. Then when I turn them back on it works and the clients can connect even having x3mrouting rules applied. Wish there was a way reboot protection could work when x3mrouting is installed but i'm fine with just doing that make shift auto start client 5 with a bad config to keep the clients disconnected at reboot.
 
KILLMON v0.3 (Preview)
Released November 13, 2022

Executive Summary: KILLMON is a shell script (using the same look & feel of VPNMON-R2, RTRMON and PWRMON) that provides additional VPN kill switch capabilities outside of the VPN kill switch functionality that is currently integrated into the Asus-Merlin Firmware. KILLMON builds on the excellent kill switch script originally provided by @eibgrad, and provides a user interface to help monitor, enable, or disable kill switch operations, as well as allowing you to choose how to implement the kill switch for both IP4 and IP6 traffic. Currently, KILLMON provides traffic kill modes for 3 different scenarios...
  1. Paranoid mode - All LAN traffic is forbidden from using the current WAN interface
  2. IP Range mode - All LAN traffic within specified IP Range is forbidden from using the current WAN interface
  3. Single IP mode - All LAN traffic on specified IP is forbidden from using the current WAN interface
In each instance, a valid VPN tunnel must be up and running for traffic to make it out to the internet, preventing any possible traffic leaks while a VPN tunnel is down, thus the necessity for a kill switch.

IMPORTANT NOTE: Many VPN kill switches do not consider IP6, or recommend just completely disabling IP6 on the router itself. KILLMON may very well be one of the first kill switches that both embraces and kills the sh*t out of unwanted IP6 traffic when your VPN connection goes down. Please note that if IPv6 is enabled on your router and are using a kill switch of any kind that does not specifically block IP6, any and all traffic that utilizes IPv6 addressing will be leaking traffic around your IP4 VPN tunnel over your WAN when it goes down.

KILLMON is free to use under the GNU General Public License version 3 (GPL 3.0).

This project is hosted on GitHub

Changelog here | What's new: <coming soon>

Screenshots:
View attachment 45465

KILLMON is designed to work standalone to provide protection with whatever VPN setup you choose to use... but it does integrate nicely with VPNMON-R2, and will display current protection stats on the main VPNMON-R2 UI:

View attachment 45466

IMPORTANT: A big component of any kill switch is its ability to survive a reboot and make sure rules are in place as the firewall starts back up again. The "Reboot Protection" component is just that. When enabling this, it will write a command into your /jffs/scripts/firewall-start file, and upon reboot, will populate the IP4/IP6 iptables with the necessary rules you have configured!

I'm definitely looking for your feedback... what works, what doesn't... what else would you like to see. But all-in-all, as good ideas come up for things to possibly add, very much a WIP (work-in-progress). ;)
Awesome work! You have done it again!
 
So this is working great !! The only thing is for me that using this with x3mrouting seems to only work when I don't enable reboot protection - Reboot Protection" component is just that. When enabling this, it will write a command into your /jffs/scripts/firewall-start file, and upon reboot, will populate the IP4/IP6 iptables with the necessary rules you have configured!

If I leave this feature disabled & instead use a bad config on client 5 with auto start enabled at boot it functions perfectly. Meaning if I stop a client now the kill switch is on and the devices in the range I configured in your script cant connect to wan. Then when I turn them back on it works and the clients can connect even having x3mrouting rules applied. Wish there was a way reboot protection could work when x3mrouting is installed but i'm fine with just doing that make shift auto start client 5 with a bad config to keep the clients disconnected at reboot.
Awesome! I'm really glad things are working, and sorry you still have to use the same workaround for the x3mrouting script. There is definitely something in conflict there... If you can still find a moment after x3mrouting has done its thing to run "killmon -protect", then at least you can enjoy a little automation without having to manually get things back in order? Or maybe alter the command to include a sleep statement and making sure it runs after the x3mrouting start up statement? Like this?

Code:
Editing your 'firewall-start' file under /jffs/scripts, add this line:

(sleep 30 && /jffs/scripts/killmon.sh -protect) &
 
Awesome! I'm really glad things are working, and sorry you still have to use the same workaround for the x3mrouting script. There is definitely something in conflict there... If you can still find a moment after x3mrouting has done its thing to run "killmon -protect", then at least you can enjoy a little automation without having to manually get things back in order? Or maybe alter the command to include a sleep statement and making sure it runs after the x3mrouting start up statement? Like this?

Code:
Editing your 'firewall-start' file under /jffs/scripts, add this line:

(sleep 30 && /jffs/scripts/killmon.sh -protect) &
Thanks for the suggestion but it didn't work =(... The script works great it seems if I don't add anything to firewall-start.
 
Thanks for the suggestion but it didn't work =(... The script works great it seems if I don't add anything to firewall-start.
I will add a note to the requirements/limitations section in the OP that there's an incompatibility with x3mrouting... thanks @ComputerSteve!
 
Looking good!

For a future update, I think to make it YazFi compatible all you'll probably need to add wl interfaces to the firewall rules you implement in addition to the br+ stuff
Hey @Jack Yaz ... wanted to let you know that YazFi actually continues working just fine without any issue even with KILLMON rules in place! Whoo! ;)
 
Small update to v0.4 today... I figured... why display all the extraneous IPv6 stuff if you have it disabled at the router level? So now the UI adjusts to remove all the IPv6 info if it's already disabled, and just leaves you with everything you need to manage the IPv4 kill switch.

1668561884672.png


Download Link:
Code:
curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/KILLMON/master/killmon-0.4.sh" -o "/jffs/scripts/killmon.sh" && chmod a+rx "/jffs/scripts/killmon.sh"
 
Thanks Viktor, I will play around with this. appreciate your response to my post earlier
 
Thanks Viktor, I will play around with this. appreciate your response to my post earlier
Absolutely! Let me know if I can assist in any way, okay?
 
KILLMON v0.4 (Preview)
Released November 15, 2022

Executive Summary: KILLMON is a shell script (using the same look & feel of VPNMON-R2, RTRMON and PWRMON) that provides additional VPN kill switch capabilities outside of the VPN kill switch functionality that is currently integrated into the Asus-Merlin Firmware. KILLMON builds on the excellent kill switch script originally provided by @eibgrad, and provides a user interface to help monitor, enable, or disable kill switch operations, as well as allowing you to choose how to implement the kill switch for both IP4 and IP6 traffic. Currently, KILLMON provides traffic kill modes for 3 different scenarios...
  1. Paranoid mode - All LAN traffic is forbidden from using the current WAN interface
  2. IP Range mode - All LAN traffic within specified IP Range is forbidden from using the current WAN interface
  3. Single IP mode - All LAN traffic on specified IP is forbidden from using the current WAN interface
In each instance, a valid VPN tunnel must be up and running for traffic to make it out to the internet, preventing any possible traffic leaks while a VPN tunnel is down, thus the necessity for a kill switch.

IMPORTANT NOTE: Many VPN kill switches do not consider IP6, or recommend just completely disabling IP6 on the router itself. KILLMON may very well be one of the first kill switches that both embraces and kills the sh*t out of unwanted IP6 traffic when your VPN connection goes down. Please note that if IPv6 is enabled on your router and are using a kill switch of any kind that does not specifically block IP6, any and all traffic that utilizes IPv6 addressing will be leaking traffic around your IP4 VPN tunnel over your WAN when it goes down.

REQUIREMENTS:
* You must have "JFFS custom scripts" turned on from the router UI, and have Entware installed (easiest way is through AMTM)

LIMITATIONS:
* There seems to be an incompatibility with the x3mrouting script. Apparently there seems to be a competition on startup. @ComputerSteve found a workaround by not enabling "Reboot Protection" in KILLMON.

KILLMON is free to use under the GNU General Public License version 3 (GPL 3.0).

This project is hosted on GitHub

Changelog here | What's new: <coming soon>

Screenshots:
Running with both IPv4 and IPv6 enabled
View attachment 45465

Running with IPv6 disabled at the router level:
View attachment 45522

KILLMON is designed to work standalone to provide protection with whatever VPN setup you choose to use... but it does integrate nicely with VPNMON-R2, and will display current protection stats on the main VPNMON-R2 UI:

View attachment 45466

IMPORTANT: A big component of any kill switch is its ability to survive a reboot and make sure rules are in place as the firewall starts back up again. The "Reboot Protection" component is just that. When enabling this, it will write a command into your /jffs/scripts/firewall-start file, and upon reboot, will populate the IP4/IP6 iptables with the necessary rules you have configured!

I'm definitely looking for your feedback... what works, what doesn't... what else would you like to see. But all-in-all, as good ideas come up for things to possibly add, very much a WIP (work-in-progress). ;)
You should just combine all of your scripts into a big super scripts and call it VIKTORMON lol.
 
Time to kick this baby bird out of the nest! KILLMON v1.0 is going live today... it's been tested in single/dual-wan scenarios and have been running it non-stop since its preview release with zero issues (much to my family's inconvenience and disappointment). LOL ;) Enjoy!

What's new?
v1.0 - (November 29, 2022)
* MAJOR:
KILLMON v1.0 goes live today!
* CHANGED: Most recent major mod was removing all IPv6 related info in the UI if IP6 is turned off at the router level, and will only display IP4-related settings.
* FIXED: Minor code changes and enhancements to bring it up to the same back-end functional level as VPNMON-R2, RTRMON and PWRMON.

Download link:
Code:
curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/KILLMON/master/killmon-1.0.sh" -o "/jffs/scripts/killmon.sh" && chmod a+rx "/jffs/scripts/killmon.sh"
 
Hi! Viktor,

I'm back again and cannot help but tinker some more. I finally have vpnmon-r2 working well. You keep coming up with new features that lures one back in.
How do you add killmon to vpnmon-r2 ? Did I miss this somewhere?

Thanks, Cofetym:)
 
Hi! Viktor,

I'm back again and cannot help but tinker some more. I finally have ;) vpnmon-r2 working well. You keep coming up with new features that lures one back in.
How do you add killmon to vpnmon-r2 ? Did I miss this somewhere?

Thanks, Cofetym:)
;) This feature addition is coming soon... It will basically just give you an indicator that killmon is running and enabled within the vpnmon UI. If you've already enabled killmon, it will enforce Killswitch protection no matter what you're running. Once you upgrade to the next version of vpnmon, you'll see it. You can load the beta if you want to play with it?
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top