VPN kill switch via static route?

[DarkHorizons]

Hi,

 

I'm currently using OpenVPN AS on a VPS, when the VPN drops is it possible to stop all traffic in/out via my private IP by using a static route to my VPN server and not setting a gateway on my windows network adapter? I basically only want traffic going through my VPN and my internet isn't the best and tends to drop for a moment a few times a week. I have a look at some other solutions such as firewall rules but they seem quite messy.

[+BudMan MVC]

Are you running the client on your box or is a router connection? 

 

If on your computer and you don't set a gateway on your PC, and only have a route to the IP or network of your vpn server, then sure it would not be possible for your computer to go anywhere other than the vpn, if that was down then only the local network would be reachable.

 

If vpn is on your router then you could limit traffic to only through the vpn through some basic firewall rules and or policy based routing.

[DarkHorizons]

I'm running the VPN client on my local machine, the VPN server is outside of my network. I'm not quite sure on how I'd need to set the route though.

 

Say my LAN IP is 192.168.0.10, the VPN server IP is 100.200.50.80, I assume the command would look something like:

route add 100.200.50.80 mask 255.255.255.0 192.168.0.10

If this is correct is the mask the subnet of the VPN server IP or my local interface? Or would I need to set the interface IP to the IP assigned by the VPN server to the virtual adapter?

[+BudMan MVC]

your gateway would be your router.. Lets assume 192.168.0.1 ??

 

your above command would route traffic to yourself.. You need to tell you computer how to get to that network, which would be the IP of your router that has the internet connection.

 

So example if your machine is 192.168.0.10 and your router is 192.168.0.1, and you know what the mask of your vps is.. I doubt its a /24, most likely bigger but you since its a vps and most likely is IP never changes, I know mine never do you would want to use a /32 mask

 

route add 100.200.50.80 mask 255.255.255.255 192.168.0.1

 

You should not have to add the metric or interface to the command.  So this command tells your machine hey if you want to go to 100.200.50.80 send the traffic to 192.168.0.1 to get there.

 

you can then verify the route with route print.  This will allow your machine to create your vpn connection, but if wanted to go to say 8.8.8.8, it would not have a default gateway and would have no way to get there.  You need to make sure you don't set a default gateway on your pc, nor get one from dhcp..  Which most routers dhcp don't even let you alter so you would have to set static IP on your PC for this routing stuff to work.  Keep in mind, where are you pointing for dns?  Your router - then it would be able to look up stuff, but never be able to get there other than this 1 specific IP you setup a route for