Serious Discussion Router VPN Killswitch

[n8chavez]

Here's my situation, my current VPN subscription to hide.me is about to expire in a few months. But, given the black Friday discounts, I'm looking at getting another one now. I live hide.me, but the one server they have in my city is blocked youtube and asks me to login to watch a video. That's no bueno. The other VPN I like, Mullvad, does the same thing but for Reddit and youtube. Again, no bueno. Ok, not for the issue. I use wireguard on my router; glinet to be specific. Doing so means that I do not use the VPN apps that are associated with the respective services. That means no "killswitches." Yes, the router is supposed to block all non-vpn connections. But I don't trust it. I like to see things working, and would prefer to have a hardware and software solution; a double-killswitch so to speak.

Both Mullvad and hide.me offer socks5 that communicates only when an active VPN connection exists. (That is not the same as a socks5 instead of a VPN.) Very few VPNS offer the local socks5. That's a shame because it acts as a safety net. But both of these have the issues I mentioned already. One of the VPNs I was looking at was ProtonVPN. It does not offer the socks5, but in my tests does not get seen as a bot by youtube or Reddit.

My options are as follows:

1. Use Mullvad or hide.me, and login every time I want to use Reddit or youtube
2. Buy a Protonvpn, and be without the socks5 safety net.

Neither of these is ideal. I'm thinking of using Protonvpn and coming up with a way to secure it locally as well. Protonvpn has a locally-run DNS address in its wireguard config (10.2.0.1). If I understand correctly, that means that the DNS server cannot be access without the VPN being up and functional. Is that right? If that's the case then I could simply run the below .bat, which alters my Windows' connections DNS servers to be 10.2.0.1.

netsh interface ipv4 set dnsservers "n8chaveziscool" static 10.2.0.1 primary

My question is, will this method suffice is stopping any communication should the VPN go down? I'm assuming that the DNS server is tied to the VPN, which 10.x.x.x indicates. If not my only other alternative I can think of is setting up my VPN network connection as "private" in Windows and blocking anything domain or ptivate in Windows' firewll. But that seems very flimy. Anyone have ideas on how to stop communication software-wise?

 

[Bot]

Your understanding seems correct. If the DNS server is indeed tied to the VPN, then setting it as your primary DNS server should effectively stop communication if the VPN goes down. This would act as a software killswitch. However, keep in mind that this method isn't foolproof and may not work in all scenarios.

Another alternative is to use a firewall rule to block all non-VPN traffic. This can be a bit complex to set up, but it's a more reliable method. You can use Windows Firewall or a third-party firewall to create rules that only allow traffic through the VPN's network interface.

Lastly, you could consider using a different VPN service that includes a built-in killswitch and doesn't have the issues you've encountered with Mullvad and hide.me. Many VPNs offer this feature, so it's worth exploring.

 

[n8chavez]

@Bot, I'm looking to use the router for my VPN not any software. How would you suggest using Windows firewall rules as a means to prevent non-vpn communication.

 

[Zero Knowledge]

If your using a router and have wireguard options in the router to upload config files go for what ever is cheaper. Mullvad, AirVpn, Protomall offer Wireguard. If you need OpenVpn config files only then AirVpn and PP are both credible options.

 

[n8chavez]

If your using a router and have wireguard options in the router to upload config files go for what ever is cheaper. Mullvad, AirVpn, Protomall offer Wireguard. If you need OpenVpn config files only then AirVpn and PP are both credible options.

That assumes I trust the router to do what I say. This way there are safeguards on both the hardware and software sides.

 

[Zero Knowledge]

https://torguard.net/ has what you need, use BLACKFRIDAY2024 2 years of TorGuardVpn with Socks proxy included plan comes in @ $27.50.

https://torguard.net/anonymous-proxy/ if you need straight socks plan only.

 

[n8chavez]

At this point, I'm convinced @Zero Knowledge doesn't know what I'm talking about so I'll stop posting here. I'm nit talking about a simply proxy. I'm talking about a local proxy address that is only accessible when there is a functioning VPN present; something entirely different that any random proxy server. Thank you for the effort, however.

 

[n8chavez]

I'm sorry, but I'm not very knowledgeable about Merlin-based routers. I use dd-wrt. But I believe merlin uses routing table level rules and not iptables. So, policy over iptables I can tell you that I do not just any killswitch implementation 100%. That's why I'm looking for a local socks5 through VPN (10.x.x.x) method in addition to router "killswitches."

 

[n8chavez]

A brief update just in case anyone but me was at all interested, as unlikely as that may be. There really is no way I can see to bind a connection locally to a VPN connection on a router. Even if you create a firewall rule allowing only a local address (in the case of ProtonVPN that would be 10.2.0.2), so that only transfers using that address can connect, that still wouldn't work with ProtonVPN on a router. The vpn connection uses the new router address as local. You could do the same, just using your assigned 192.168.x.x address from your router, but that just allows any connection from the router and not necessarily a VPN connection.

The ONLY way I've found to be able to guarantee a VPNed connection using both software and a router, is to do both of these two things:

1. Enable the global lock on your router
2. To use a VPN just as hide.me, IVPN, mullvad, that use a per-server-based socks5 connection on each server that only functions if the VPN is up and active. For example, with Mullvad using 10.64.0.1 for wireguard connection, if I set an application to use 10.64.0.1:1080 as a socks I'll only be able to communicate if I have an active Mullvad VPN connection. That's true if the VPN is used locally or on a router.

I know I'm odd, but I prefer to have more than one "killswitch." This is the only way I know that accomplishes both.

 

[Sorrento]

A brief update just in case anyone but me was at all interested, as unlikely as that may be. There really is no way I can see to bind a connection locally to a VPN connection on a router. Even if you create a firewall rule allowing only a local address (in the case of ProtonVPN that would be 10.2.0.2), so that only transfers using that address can connect, that still wouldn't work with ProtonVPN on a router. The vpn connection uses the new router address as local. You could do the same, just using your assigned 192.168.x.x address from your router, but that just allows any connection from the router and not necessarily a VPN connection.

The ONLY way I've found to be able to guarantee a VPNed connection using both software and a router, is to do both of these two things:

1. Enable the global lock on your router
2. To use a VPN just as hide.me, IVPN, mullvad, that use a per-server-based socks5 connection on each server that only functions if the VPN is up and active. For example, with Mullvad using 10.64.0.1 for wireguard connection, if I set an application to use 10.64.0.1:1080 as a socks I'll only be able to communicate if I have an active Mullvad VPN connection. That's true if the VPN is used locally or on a router.

I know I'm odd, but I prefer to have more than one "killswitch." This is the only way I know that accomplishes both.

We all maybe have our all wants & needs, I'm a little strange with my PC choices but its who I am

 

[n8chavez]

So, because I like a challenge I never stopped looking for a propper way to get this done. I know I'm only talking to myself here, but 23+ years being active in forums means that if I look up problems chances are I'm going to come across an old post of mine with the solution.

Here's how I bound my adapter to a particular network ssid. Connect to the network you want, "forgetting" any others. Then open powershell, and run "Get-NetIPConfiguration." That will give you your current ipv4 address, gateway and current DNS server, all of which should be coming from the router. Configure your router to give you a static ip4v LAN address. Open wifi connections and click properties on the active one. Switch the connection properties from automatic to manual, then enter the powershell output (ipv4 mask is usually 255.255.255.0). Then you'll only be able to connect to that wifi connection, which is a killswitched vpn connection from your router.

This is work even with other VPNs that do not offer local through-vpn socks5 proxy.