killswitch: Killswitch is not working with OpenVPN

Hi, Thank you for this awesome utility. Recently, I am facing the following problem with KillSwitch. When connecting with IKEv2 and IPSec protocol the KillSwitch works great but as soon as I connect with OpenVPN (TCP or UDP) it stops the entire networks.

I have also checked it the rules are applied correctly using the command pfctl -s rules and it shows me the rules applied.

@nbari Please help me in this context. I will really appreciate your help.

Screenshot 2021-12-02 at 3 38 30 PM

About this issue

  • Original URL
  • State: open
  • Created 3 years ago
  • Comments: 22 (10 by maintainers)

Most upvoted comments

@nbari Awesome, I am trying to make few changes let see what happens 😃

+1
munibsiddiqui on Dec 16, 2021

hi @munibsiddiqui here sharing some initial tests/findings, I notice that the tunnel is not changing the default gateway:

> route get 0.0.0.0
   route to: default
destination: default
       mask: default
    gateway: 192.168.50.1
  interface: en1
      flags: <UP,GATEWAY,DONE,STATIC,PRCLONING,GLOBAL>
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500         0

if using other protocols, the interface instead of being en1 could be something like ipsec, I tried changing the config to use something like redirect-gateway def1 or redirect-gateway autolocal but no luck, just for testing after the VPN was up I changed the default gateway:

sudo route delete default
sudo route change default -interface utun5

but the default killswitch rules block whole traffic, I will continue testing but maybe also this info help from your side to test.

What I am doing for debugging is:

$ sudo ifconfig pflog0 create

Do some changes in the rules and load them:

$ sudo pfctl -Fa -f /tmp/killswitch.pf.conf -e

Then check the logs with:

$ sudo tcpdump tcpdump -n -e -ttt -i pflog0

maybe we need to use the PF reply-to, not sure,but well give a try from your side and share your findings

+1
nbari on Dec 14, 2021

@nbari Sorry for late. Please see the following information. vpn-information.txt

+1
munibsiddiqui on Dec 14, 2021
Read more comments on GitHub
← killswitch: Blocks all traffic
hover_net: Errors with Train.py →