Help setting up a kill switch

[stankovic]

I use firefox portable with my softether and I would like to set a kill switch. Normally when using regular firefox, I can easily set a kill switch using firewall properties (inbound and outbound connections), however this rule doesn't apply to firefox portable, I have tried numerous times but it just wouldn't work. I would be grateful if someone could suggest a kill switch setting or app that can help cut off all connection in case of IP leak.

[cedar]

Simply, you should remove the default gateway for ISP.

[ray5450]

If you mean to do this, while Softether is connected: route delete 0.0.0.0
...what this will do is remove internet access for Softether, even though Softether appears still connected.

Does anyone have the real answer?

[cedar]

When multiple default gateways are defined, please specify the gateway parameter if you want to remove only one.

[ray5450]

The table has only one entry for 0.0.0.0, which is the one and only default, right?

[cedar]

If successful, you should have at least two default gateways defined, one for the physical network and one for the VPN side network.

[ray5450]

Are "the default gateway for ISP" and "the physical network" referring to the same?

[cedar]

There may be a home router between the physical network and the ISP router, so it's not exactly the same, but you can think of it as about the same.

[ray5450]

"If successful, you should have at least two default gateways defined, one for the physical network and one for the VPN side network."
--What do you mean by "successful"?

[cedar]

If a new Internet connection is provided using a VPN, you probably have a default gateway or an equivalent split route.
The split path may be provided, for example, in the form of a netmask of 1.0.0.0.

[ray5450]

When Softether VPN is not connected, here is my route table:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.52 20
10.0.0.0 255.255.255.0 On-link 10.0.0.52 276
10.0.0.52 255.255.255.255 On-link 10.0.0.52 276
10.0.0.255 255.255.255.255 On-link 10.0.0.52 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.0.0.52 276
255.255.255.255 255.255.255.255 On-link 10.0.0.52 276

When Softether VPN is connected, here is my route table:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.238.254.254 10.238.20.116 20
10.0.0.0 255.255.255.0 On-link 10.0.0.52 276
10.0.0.52 255.255.255.255 On-link 10.0.0.52 276
10.0.0.255 255.255.255.255 On-link 10.0.0.52 276
10.238.0.0 255.255.0.0 On-link 10.238.20.116 276
10.238.20.116 255.255.255.255 On-link 10.238.20.116 276
10.238.255.255 255.255.255.255 On-link 10.238.20.116 276
75.75.75.75 255.255.255.255 10.0.0.1 10.0.0.52 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
219.100.37.86 255.255.255.255 10.0.0.1 10.0.0.52 20
224.0.0.0 240.0.0.0 On-link 10.0.0.52 276
255.255.255.255 255.255.255.255 On-link 10.0.0.52 276


What should be changed such that when VPN disconnects, ISP will not connect?

[flygun]

1, delete default route before SE Client connect to server

Code: Select all

#windows admin terminal
route delete 0.0.0.0
#linux 
sudo ip route delete default

2, add youre SE Server's IP to the route , so you can not go anywhere except you SE server.

Code: Select all

#windows admin terminal (supose your ADSL router gatway ip 192.168.0.1 ,  xxx.xxx.xxx.xxx is youre SE server IP)
route add xxx.xxx.xxx.xxx/32 192.168.0.1
#linux 
sudo ip route add xxx.xxx.xxx.xxx/32 via 192.168.0.1

3, start your SE client connect, when SE client connected, it will add 0.0.0.0 to a gateway by SE Server, so you can go internet by SE Server

4, when SE client disconnect , It will delete 0.0.0.0, and you can not go any where except you SE server.

[flygun]

5, when you need go out by you ISP , just add default gateway to your 192.168.0.1

Code: Select all

#win
route add 0.0.0.0/0 192.168.0.1
#or
route add 0.0.0.0 mask 0.0.0.0 192.168.0.1
#linux
sudo ip route add default via 192.168.0.1
#or 
sudo ip route add 0.0.0.0/0 via 192.168.0.1

[ray5450]

(I am sorry that the tables I posted are not spaced in a very readable way. I had them spaced, but after posting, the spaces were removed (?).)

Doggone! It worked! Thank-you. I have been waiting a long time for that, as evidenced in the other thread.



I had been expecting to use a batch file for this, but that can't be since the host IP is variable and must be manually typed each time.

[ray5450]

Important:

I would add here that if the connection is a wireless connection/router, disable auto-reconnect in Windows (etc). I would not think it could, but mine somehow reconnects unless I disable auto-reconnect.

[solo]

Important:

I would add here that if the connection is a wireless connection/router, disable auto-reconnect in Windows (etc). I would not think it could, but mine somehow reconnects unless I disable auto-reconnect.

Important #2

- in VPN connection properties check "No Adjustments Of Routing Table" https://www.vpnusers.com/viewtopic.php? ... 682#p98542

[ray5450]

I found the "no adjustments" setting.

What is it that this does, or prevents? Thanks.

[solo]

It prevents SoftEther from automatic reinstatement of the original default gateway when VPN connection breaks later for any reason, which would kill YOUR kill switch.

[ray5450]

Does the Windows setting accomplish the same effect?

Is doing both optional or necessary (as compared to one of either)? ...or is doing both all the better?

Is the SE setting better?

Thanks.

[solo]

On SE Linux do as advised earlier.

On SE Windows do both. Analyze your routing table before and during VPN connection, then prepare specific kill switch batch files. This is easy for VPN to your own server but for VPN Gate you'll need lots of batch files.

[ray5450]

Yes, I know how to do it just fine. That was not my question, but thanks.

[solo]

Alright, here is a short version - unless you check "No Adjustments Of Routing Table", whatever you do ain't a kill switch.

[ray5450]

Thanks.

I do not disagree with you. I only was wondering what the difference is between the final effect of disabling Windows auto-reconnect and SE "No Adjustments Of Routing Table".