How to protect LAN Network when DSM OpenVPN Client is going down

[BobW]

Hi,

I currently have OpenVPN Client from DSM set up as the VPN Gateway for my LAN network. This in combination with AdGuard, this way my entire LAN Network is protected against Ads and all traffic from the various devices goes through the VPN tunnel.

Only problem I run into is that I can't protect the network from the VPN connection going down.
For example, this week the VPN connection was down and I didn't realize it until a few hours later. I do get a notification via Telegram and via mail, but unfortunately I saw it too late.
If the VPN connection fails then the entire LAN network goes through my ISP with the result that my actual IP and location are exposed.

Does anyone know a way to prevent this? OpenVPN Client version of DSM does not have a kill switch feature like most VPN apps have.

If anyone has a solution how I can secure this even better I would love to hear from you.

Maybe someone knows a script that allows me to set up a backup VPN connection, for example, if the first connection is lost that the script automatically activates the second VPN connection.

TIA

 

[fredbert]

To summarise what your setup is:

1. All LAN devices are set to use the NAS as default gateway
2. The NAS creates an OpenVPN tunnel to an Internet VPN service
3. Outbound LAN connections route to the Internet via the NAS’s OpenVPN tunnel
4. If the tunnel fails then the LAN traffic defaults to using the Internet router

How do the LAN devices automatically switch between using the NAS as gateway to the Internet router?

I haven’t looked at what tunnel health info is available but you could script something using ping and/or traceroute. Choose to monitor something that is only accessible with the tunnel. If that’s not possible then determine whet the path is different: more hops or latency is higher etc.

 

[Rusty]

How do the LAN devices automatically switch between using the NAS as gateway to the Internet router?

Probably simply by not having an active VPN connection the lan devices still target the NAS IP as their GW, and then route towards the net using the NAS default GW at that point, being the router as default.

 

[BobW]

How do the LAN devices automatically switch between using the NAS as gateway to the Internet router?

I'll try to clarify how it is setup

• NAS setup to serve Docker (Adguard with macvlan IP 192.168.178.50) and DHCP
• VMM Virtual DSM setup to serve the VPN Tunnel.
  Network is with static IP (192.168.178.105)
  Gateway is setup with the Router IP (192.168.178.1)
  DNS Server is 9.9.9.9
• Adguard Upstream DNS servers is setup with the VDSM IP (192.168.178.105)
• LAN Clients receive from DHCP the following;
  IP e.g. (192.168.178.200)
  Gateway the VMM IP (192.168.178.105) so that all the traffics goes through the VPN tunnel
  DNS server the IP of Adguard (192.168.178.50) to protect the clients against Ads and Malware

So when VPN is active every clients internet traffic goes through the VPN tunnel and are protected against Ads. But When the VPN is down the clients can still access the Internet but then through the Router.
I guess this is because of the Router IP I have setup for VDSM.

What I need is something like a kill switch, which blocks the internet connection when the VPN connection is down.

I append a few screenshots to clarify the whole thing.

 

[fredbert]

Can you alter VDSM’s network settings?

• No default route / gateway
• Add a specific static route for AdGuard subnet via the Internet router

Or….

Can you add another VDSM interface with dummy routing and have that as higher priority to the current network interface?​

What about VDSM’s firewall settings? I don’t use my NAS as a router (which in effect is what you are doing) so have never tried this but, any way to setup rules based on exit interface?​

Your Internet router’s firewall: is it able to set outbound rules or is it pretty dumb and allow all to go out? If the latter then just stop outbound connections from all LAN devices except VDSM.​

 

[BobW]

Can you alter VDSM’s network settings?

• No default route / gateway

When I remove the default Gatway IP (192.168.178.1) then VPN won't connect.

Can you add another VDSM interface with dummy routing and have that as higher priority to the current network interface?
What about VDSM’s firewall settings? I don’t use my NAS as a router (which in effect is what you are doing) so have never tried this but, any way to setup rules based on exit interface?

I'm sorry, not sure what you are trying to say here? Can you elaborate with an example?

Your Internet router’s firewall: is it able to set outbound rules or is it pretty dumb and allow all to go out? If the latter then just stop outbound connections from all LAN devices except VDSM.

Internet router firewall doesn't have the ability to setup rules, as far as I can see. (I have the Nighthawk R7000)

 

[fredbert]

[I'm a bit hazy on what's your VPN service and what AdGuard is providing, so I'm assume they are one and the same for where VDSM needs to get on the Internet.]

When I remove the default Gatway IP (192.168.178.1) then VPN won't connect.

Even with the second bit (VPN tunnel specific routing via the router):

• Add a specific static route for AdGuard subnet via the Internet router

Removing the default route was step 1, adding specific routes to the VPN / AdGuard Internet subnet would be step 2.

I'm sorry, not sure what you are trying to say here? Can you elaborate with an example?

In VDSM is it possible to add a new interface? I'm thinking if it is possible to make an interface higher priority when the VPN isn't running, and have that interface with no default router.

It probably won't or can't work. I'm just thinking of stuff what I would check if I were in your situation.

Internet router firewall doesn't have the ability to setup rules, as far as I can see. (I have the Nighthawk R7000)

I don't know Netgear routers, maybe it is fairly basic and assumes all internal devices can access anywhere on the Internet. If it could do outbound rules then you could create a rules to allow VDSM to access the VPN service/AdGuard and block access anywhere else.

May be you could create a Docker firewall that VDSM uses as it's default gateway?


Can the VDSM firewall be set to allow LAN devices to access different destinations/IP services for the VPN interface and have a more restrictive [blocking] policy on the All Interfaces policy?