VPN kill switch via static route?


Recommended Posts

Hi,

 

I'm currently using OpenVPN AS on a VPS, when the VPN drops is it possible to stop all traffic in/out via my private IP by using a static route to my VPN server and not setting a gateway on my windows network adapter? I basically only want traffic going through my VPN and my internet isn't the best and tends to drop for a moment a few times a week. I have a look at some other solutions such as firewall rules but they seem quite messy.

Link to comment
https://www.neowin.net/forum/topic/1282738-vpn-kill-switch-via-static-route/
Share on other sites

Are you running the client on your box or is a router connection? 

 

If on your computer and you don't set a gateway on your PC, and only have a route to the IP or network of your vpn server, then sure it would not be possible for your computer to go anywhere other than the vpn, if that was down then only the local network would be reachable.

 

If vpn is on your router then you could limit traffic to only through the vpn through some basic firewall rules and or policy based routing.

  • Like 1

I'm running the VPN client on my local machine, the VPN server is outside of my network. I'm not quite sure on how I'd need to set the route though.

 

Say my LAN IP is 192.168.0.10, the VPN server IP is 100.200.50.80, I assume the command would look something like:

route add 100.200.50.80 mask 255.255.255.0 192.168.0.10

If this is correct is the mask the subnet of the VPN server IP or my local interface? Or would I need to set the interface IP to the IP assigned by the VPN server to the virtual adapter?

your gateway would be your router.. Lets assume 192.168.0.1 ??

 

your above command would route traffic to yourself.. You need to tell you computer how to get to that network, which would be the IP of your router that has the internet connection.

 

So example if your machine is 192.168.0.10 and your router is 192.168.0.1, and you know what the mask of your vps is.. I doubt its a /24, most likely bigger but you since its a vps and most likely is IP never changes, I know mine never do you would want to use a /32 mask

 

route add 100.200.50.80 mask 255.255.255.255 192.168.0.1

 

You should not have to add the metric or interface to the command.  So this command tells your machine hey if you want to go to 100.200.50.80 send the traffic to 192.168.0.1 to get there.

 

you can then verify the route with route print.  This will allow your machine to create your vpn connection, but if wanted to go to say 8.8.8.8, it would not have a default gateway and would have no way to get there.  You need to make sure you don't set a default gateway on your pc, nor get one from dhcp..  Which most routers dhcp don't even let you alter so you would have to set static IP on your PC for this routing stuff to work.  Keep in mind, where are you pointing for dns?  Your router - then it would be able to look up stuff, but never be able to get there other than this 1 specific IP you setup a route for

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • I happen to try it today not knowing about the update and was happily surprised; it is great.
    • Hello, Hardware Support Applications are a special kind of Microsoft Store app and have to go through additional checks and certifications because they can communicate directly with their driver, which means that a vulnerability in one of them could allow an attacker access to kernel space memory through the HSA ←→ device driver interface.  In other words, a BYOVD (bring your won vulnerable driver) attack, but with the HSA being used as an extra step. Remember, the Microsoft Store is strategic to Microsoft's long-term goals: they see it as the means to get the same 30% of every application sale that Apple and Google get through their stores, which is why it has been a fixture of Windows since Windows 8 was introduced in 2012 despite a low adoption rate.  Microsoft cannot afford to have anyone get an app through their store which causes a security issue for their end users.  Even if the app was written by and uploaded to the Microsoft Store by a partner, it is Microsoft's name on the store, and they are the ones that will have reputational/brand damage if they allow something malicious into their store. Regards, Aryeh Goretsky  
    • This is more from my childhood, when nickelodeon just launched and had to license shows to have something to air. Left a big an impact, but probably more emotion positive / childhood thing. Europe got the follow up season's decade's latter with the animation studio that did Air Bender but never licenses for the US. I miss the day's of longer intro's. Nier (PS3) Intro is epic, and was very unexpected.  PS1 Xengears was also epic and an amazing game.  
    • Sayan Sen, do you think one day an image of the Windows Vista desktop or the wallpaper could be used in the primary image of an article? (When I think of CDs and DVDs I think of that release of Windows and of earlier releases; it is the one that debuted IMAPI 2.0 and other features.)
  • Recent Achievements

    • Week One Done
      Ricky Chan earned a badge
      Week One Done
    • Week One Done
      maimutza earned a badge
      Week One Done
    • Week One Done
      abortretryfail earned a badge
      Week One Done
    • First Post
      Mr bot earned a badge
      First Post
    • First Post
      Bkl211 earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      484
    2. 2
      +FloatingFatMan
      263
    3. 3
      snowy owl
      240
    4. 4
      ATLien_0
      227
    5. 5
      Edouard
      188
  • Tell a friend

    Love Neowin? Tell a friend!