Testing the VPN client on my UDM Pro SE. Connects no problem to PIA’s servers. However, I’ve noticed that if the connection is paused, the devices/networks using the VPN just fall back to the default WAN connection.
Is there a way to set up a kill switch so this doesn’t happen?
I was able to add a kill switch using the firewall rules. Create a internet out rule where the source is the vlan that is connected to the vpn. Set the destination to any port/ip group. Set the rule to drop and set applied to after. With the vpn client paused I was unable to navigate to any web page or resolve any dns requests.
Not sure on your device, but this is done all the time with pfsense and PIA. Google PIA pfsense killswitch and you’ll find lots of examples. Perhaps one can help in the config.
Must be out of the loop on this.
u/everythingguy12 Do you mean like this? on Network 7.4.156:
Type: Internet Out
Description: VPN Kill Switch
Rule Applied: After
Action: (*) Drop
IPv4 Protocol: All
Source
Source Type: Network
Network: UK VPN
Network Type: IPv4 Subnet
MAC Address:
Destination
Destination Type: Port/IP Group
IPv4 Address Group: Any
Port Group: Any
Advanced: [Auto]
Also curious if you can explain how this kills the traffic without affecting the VPN traffic (I’m newer to firewalls)? Am I correct in understanding that the VPN bypasses the firewall because it’s encrypted? So when it fails and is not, it runs into the firewall?
Sorry about amp version
Did you ever figure this out?
KBinCanada - Did you have to create an entire network to server your VPN to the clients or did you simply add a traffic route. The reason I’m asking is, my VPN client doesn’t show up in the source network.
That is exactly how I have mine configured. I believe it works because the rule is applied after. So the VPN would route the traffic before it even hits this rule in the firewall.
Yup. Works exactly as I explained above. Put the rule in my firewall and it kills the traffic from the vlan if it detects it.
I would imagine the same type of rule for “internet in” is not necessary, because if it drops, the website/server upstream of the vpn would not re-establish or have knowledge of my public ip anyway?
Are you saying that your hypothesis about the VPN being encrypted is the way that this works in practice?
Otherwise I could hypothesise myself that the VPN routing rule has a higher priority and thus we never reach the killswitch rule in the firewall if the VPN is active.