What's new

RT-AC88U / Kill Switch

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

StephanK

Occasional Visitor
I have been using the router as an OpenVPN Client to generate a wireless network (from another country). The VPN has been running fine for years.

I use 386.13, but this problem already existed using earlier versions:

I have set "Killswitch - Block routed clients if tunnel goes down" to yes, but when I lose the VPN, the wifi network continues running as a local network (directly, without the tunnel). I would expect it to stop.

What am I doing wrong?
 
the wifi network continues running as a local network

This is the expected behavior. Kill switch stops WAN. It has nothing to do with LAN.
 
I'm having a hard time understanding why someone would want to make *local* access dependent on the availability of *remote* access. Seems kind of weird. Makes me wonder if there's more to the story here.
 
I am using the router to create a Wi-Fi network connected to my home in another country. This way, we can watch Netflix and similar services from that country using that foreign IP.

However, I don't want to use my local network if the VPN client goes down. Now, it would use my local IP and confuses Netflix. It takes a while to unlock it again.
 
Sounds like what you mean by continuing to run *local* is that when the VPN fails/stops, the client continues to use the local network *and* has access to the normal WAN. And if that's the case, what you're claiming is the kill switch isn't working as intended.

It would help if you provided more specifics about your network topology. I suspect this wifi router is daisy-chained behind the primary router, perhaps that of the ISP. IIRC (it's been a while since I looked at the internals), one thing about the kill switch that many don't realize is that it does NOT actually block the WAN. What it does is deny access to the default gateway of the WAN (not quite the same thing). And if another private/local ip network lies immediately upstream of that router over that same WAN, you *will* have access to it. I'm wondering if that's the issue here.

I'm really speculating here. But w/ so little information, all I can do is venture a guess about what you have there and what might be going wrong.
 
Kill Switch is not working as advertised in several youtube videos using Merlin. I have VPN on for a different country when I toggle off and kill switch is ON no internet traffic should be flowing specially if you have all trafic going via VPN. In my case, the moment I toggle off VPN , traffic is restored exposing my ip address. In all youtube videos I have seen using merling, the moment you toggle off, no traffic flows. This is for an aasus AC1900P using fimrware for AC68U as explained in the documentation same firmware as the OP. Why is kill switch not working if this router is still being supported until end of 2024 ?

My topology is really simple: ISP router lan port connected to my Asus WAN port.
 
Kill Switch is not working as advertised in several youtube videos using Merlin. I have VPN on for a different country when I toggle off and kill switch is ON no internet traffic should be flowing specially if you have all trafic going via VPN. In my case, the moment I toggle off VPN , traffic is restored exposing my ip address. In all youtube videos I have seen using merling, the moment you toggle off, no traffic flows. This is for an aasus AC1900P using fimrware for AC68U as explained in the documentation same firmware as the OP. Why is kill switch not working if this router is still being supported until end of 2024 ?

My topology is really simple: ISP router lan port connected to my Asus WAN port.

If you intentionally toggle OFF the OpenVPN client, it will NOT enforce the kill switch anymore! That's by design (NOT unless something changed since the last time I used it). The kill switch is for instances when an *unexpected* failure of the VPN occurs, NOT when you voluntarily choose to turn it OFF.

P.S. I seem to recall that a long time ago, it *did* leave the kill switch active, which caused too much confusion. So the developer changed how it operates. Perhaps older videos might simply be out of date wrt this feature. I just tested it again to verify that it does behave as I explained above w/ my RT-AC68U (386.12_4).
 
Last edited:
I have Frontier Fios with a G1100. The Asus has a static internal IP and is connected to it. It works as an OpenVPN client and creates a Wi-Fi network that a Firestick is connected to.

The OpenVPN Server (my own) is in another country.

I want the traffic not to be routed over the local IP if the tunnel goes down.
 
I want the traffic not to be routed over the local IP if the tunnel goes down.

What does that mean? You mean the IP of the ASUS WAN? As I indicated previously, if you turn OFF the OpenVPN client, the kill switch no longer works. If it dies unexpectedly, it should work.

Regardless, if you just want to shutdown ALL access over the ASUS WAN by any LAN clients, then you can simply add the following to a firewall-start script.

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT

In fact, you could disable the kill switch on the OpenVPN client w/ the above firewall rules, since those rules are enforced 24/7. IOW, clients of the ASUS are *never* allowed access to the internet via the WAN. The only option they have is the OpenVPN client, assuming it's actually running.
 
I never said anything about turning off the VPN. If the VPN is turned on but goes down, the traffic is routed over the US IP. To me, it looks like the kill switch does not work. But I might be doing something wrong.
 
I never said anything about turning off the VPN. If the VPN is turned on but goes down, the traffic is routed over the US IP. To me, it looks like the kill switch does not work. But I might be doing something wrong.

Then just use the firewall rules I provided. They work 24/7 irrespective whether there is or isn't a problem w/ the kill switch.
 
Thank you very much! Can you point me to an explanation of how I get that into a startup script?
 
It needs a firewall-start script. The following link shows how (albeit you'll obviously need to change the firewall rules to the above).

 
If you intentionally toggle OFF the OpenVPN client, it will NOT enforce the kill switch anymore! That's by design (NOT unless something changed since the last time I used it). The kill switch is for instances when an *unexpected* failure of the VPN occurs, NOT when you voluntarily choose to turn it OFF.
Is there a way to set it up so that the Internet doesn't go through even if you close the OpenVPN client yourself?

It could be that my child unplugs the VPN router, or that the client closes automatically due an error.
It wouldn't be great if my ISP's IP got through...
That doesn't make sense if a kill switch lets your ISP's IP through when the client is turned off.
 
What exactly router running what firmware?

If a child unplugs the router you will all lose connection to Internet, with or without VPN, guaranteed.
 
What exactly router running what firmware?
I haven't bought a router yet and I'm not sure which one I'll get.
If I buy one, I'll definitely get the newer models with the latest firmware.

If a child unplugs the router you will all lose connection to Internet, with or without VPN, guaranteed.
That was a stupid example :D, but if the client is stopped due an error, or my child accidentally stops the client, then I dont want that the connection from the ISP go through...

Is there a way to set it up so that no connection goes through even if I stop the client itself?
 
Yes, there is a way. This is how Kill Switch works in Asuswrt-Merlin now. VPN client on on/off with Kill Switch on - no Internet.
 
Yes, there is a way. This is how Kill Switch works in Asuswrt-Merlin now. VPN client on on/off with Kill Switch on - no Internet.
So the kill switch is still active even if I close the client myself?
Does that mean that this problem with the kill switch in this thread is outdated?
 
Does that mean that this problem with the kill switch in this thread is outdated?

This thread is for an End-Of-Life device running older firmware on a different than current base.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top