Serious Discussion Router VPN Killswitch

n8chavez

Level 20
Thread author
Well-known
Feb 26, 2021
979
Here's my situation, my current VPN subscription to hide.me is about to expire in a few months. But, given the black Friday discounts, I'm looking at getting another one now. I live hide.me, but the one server they have in my city is blocked youtube and asks me to login to watch a video. That's no bueno. The other VPN I like, Mullvad, does the same thing but for Reddit and youtube. Again, no bueno. Ok, not for the issue. I use wireguard on my router; glinet to be specific. Doing so means that I do not use the VPN apps that are associated with the respective services. That means no "killswitches." Yes, the router is supposed to block all non-vpn connections. But I don't trust it. I like to see things working, and would prefer to have a hardware and software solution; a double-killswitch so to speak.

Both Mullvad and hide.me offer socks5 that communicates only when an active VPN connection exists. (That is not the same as a socks5 instead of a VPN.) Very few VPNS offer the local socks5. That's a shame because it acts as a safety net. But both of these have the issues I mentioned already. One of the VPNs I was looking at was ProtonVPN. It does not offer the socks5, but in my tests does not get seen as a bot by youtube or Reddit.

My options are as follows:

  1. Use Mullvad or hide.me, and login every time I want to use Reddit or youtube
  2. Buy a Protonvpn, and be without the socks5 safety net.
Neither of these is ideal. I'm thinking of using Protonvpn and coming up with a way to secure it locally as well. Protonvpn has a locally-run DNS address in its wireguard config (10.2.0.1). If I understand correctly, that means that the DNS server cannot be access without the VPN being up and functional. Is that right? If that's the case then I could simply run the below .bat, which alters my Windows' connections DNS servers to be 10.2.0.1.

netsh interface ipv4 set dnsservers "n8chaveziscool" static 10.2.0.1 primary

My question is, will this method suffice is stopping any communication should the VPN go down? I'm assuming that the DNS server is tied to the VPN, which 10.x.x.x indicates. If not my only other alternative I can think of is setting up my VPN network connection as "private" in Windows and blocking anything domain or ptivate in Windows' firewll. But that seems very flimy. Anyone have ideas on how to stop communication software-wise?
 

Bot

AI-powered Bot
Apr 21, 2016
4,594
Your understanding seems correct. If the DNS server is indeed tied to the VPN, then setting it as your primary DNS server should effectively stop communication if the VPN goes down. This would act as a software killswitch. However, keep in mind that this method isn't foolproof and may not work in all scenarios.

Another alternative is to use a firewall rule to block all non-VPN traffic. This can be a bit complex to set up, but it's a more reliable method. You can use Windows Firewall or a third-party firewall to create rules that only allow traffic through the VPN's network interface.

Lastly, you could consider using a different VPN service that includes a built-in killswitch and doesn't have the issues you've encountered with Mullvad and hide.me. Many VPNs offer this feature, so it's worth exploring.
 

n8chavez

Level 20
Thread author
Well-known
Feb 26, 2021
979
@Bot, I'm looking to use the router for my VPN not any software. How would you suggest using Windows firewall rules as a means to prevent non-vpn communication.
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
884
If your using a router and have wireguard options in the router to upload config files go for what ever is cheaper. Mullvad, AirVpn, Protomall offer Wireguard. If you need OpenVpn config files only then AirVpn and PP are both credible options.
 

n8chavez

Level 20
Thread author
Well-known
Feb 26, 2021
979
If your using a router and have wireguard options in the router to upload config files go for what ever is cheaper. Mullvad, AirVpn, Protomall offer Wireguard. If you need OpenVpn config files only then AirVpn and PP are both credible options.

That assumes I trust the router to do what I say. This way there are safeguards on both the hardware and software sides.
 
  • Like
Reactions: Zero Knowledge

n8chavez

Level 20
Thread author
Well-known
Feb 26, 2021
979
At this point, I'm convinced @Zero Knowledge doesn't know what I'm talking about so I'll stop posting here. I'm nit talking about a simply proxy. I'm talking about a local proxy address that is only accessible when there is a functioning VPN present; something entirely different that any random proxy server. Thank you for the effort, however.
 

sokabi

New Member
Sep 30, 2023
11
Here's my situation, my current VPN subscription to hide.me is about to expire in a few months. But, given the black Friday discounts, I'm looking at getting another one now. I live hide.me, but the one server they have in my city is blocked youtube and asks me to login to watch a video. That's no bueno. The other VPN I like, Mullvad, does the same thing but for Reddit and youtube. Again, no bueno. Ok, not for the issue. I use wireguard on my router; glinet to be specific. Doing so means that I do not use the VPN apps that are associated with the respective services. That means no "killswitches." Yes, the router is supposed to block all non-vpn connections. But I don't trust it. I like to see things working, and would prefer to have a hardware and software solution; a double-killswitch so to speak.

Both Mullvad and hide.me offer socks5 that communicates only when an active VPN connection exists. (That is not the same as a socks5 instead of a VPN.) Very few VPNS offer the local socks5. That's a shame because it acts as a safety net. But both of these have the issues I mentioned already. One of the VPNs I was looking at was ProtonVPN. It does not offer the socks5, but in my tests does not get seen as a bot by youtube or Reddit.

My options are as follows:

  1. Use Mullvad or hide.me, and login every time I want to use Reddit or youtube
  2. Buy a Protonvpn, and be without the socks5 safety net.
Neither of these is ideal. I'm thinking of using Protonvpn and coming up with a way to secure it locally as well. Protonvpn has a locally-run DNS address in its wireguard config (10.2.0.1). If I understand correctly, that means that the DNS server cannot be access without the VPN being up and functional. Is that right? If that's the case then I could simply run the below .bat, which alters my Windows' connections DNS servers to be 10.2.0.1.

netsh interface ipv4 set dnsservers "n8chaveziscool" static 10.2.0.1 primary

My question is, will this method suffice is stopping any communication should the VPN go down? I'm assuming that the DNS server is tied to the VPN, which 10.x.x.x indicates. If not my only other alternative I can think of is setting up my VPN network connection as "private" in Windows and blocking anything domain or ptivate in Windows' firewll. But that seems very flimy. Anyone have ideas on how to stop communication software-wise?
Question for my own understanding.
How does the VPN Killswitch work in Merlin?
As i see when listing the iptables rules, its not implemented in iptables. Im i right?
So how does it work? (technically under the hood)
Is it 100% reliable ?
 

n8chavez

Level 20
Thread author
Well-known
Feb 26, 2021
979
I'm sorry, but I'm not very knowledgeable about Merlin-based routers. I use dd-wrt. But I believe merlin uses routing table level rules and not iptables. So, policy over iptables I can tell you that I do not just any killswitch implementation 100%. That's why I'm looking for a local socks5 through VPN (10.x.x.x) method in addition to router "killswitches."
 

sokabi

New Member
Sep 30, 2023
11
I'm sorry, but I'm not very knowledgeable about Merlin-based routers. I use dd-wrt. But I believe merlin uses routing table level rules and not iptables. So, policy over iptables I can tell you that I do not just any killswitch implementation 100%. That's why I'm looking for a local socks5 through VPN (10.x.x.x) method in addition to router "killswitches."
thank you so much for your suggestion
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top