Accepted Add kill switch to ER605 routers
I have two ER605 routers connected via a client-site L2TP VPN connection. The L2TP client has no problem connecting to the L2TP server in the remote router, but the problem is that if the VPN connection drops, the client will connect to my local internet connection and will reveal my local internet IP address. The ER605 does not have a kill switch (network lock) and, for that reason, I need help to create a kill switch on the client side so that the internet does not work if the VPN connection fails.
Please add the kill switch feature so that there is no need to create it using routing rules, firewall rules, and/or access control rules. That will make vpn safer and make it easier for users.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Rigaro
Rigaro wrote
AsusWRT Merlin has a built-in killswitch that ensures nothing will leak over the WAN connection. This is a very important feature that some ASUS routers have built-in to ensure that all internet traffic goes through the remote ISP. If the VPN fails my devices will not access the internet through my local ISP.
Just to be clear, if I have two ER605 VPN routers, I don't need a solution that implies connecting to 3rd party solutions like Nord VP or Express VPN. I need to be able to do this without any DNS leaks.
I found a solution using routing rules with "only option" and firewall rules to block any access to my local ISP when the VPN is disabled or the remote ER605 modem is down. That solution partially works because there is a 15-second window that allows any tool IP detection tool to detect my local IP. After about 15 seconds, all devices connected to my local ER605 stop accessing the internet until the VPN connection is re-established.
Therefore, there must be a much better way to implement a "kill switch" that avoids the 15-second DNS leak.
An update to this, regarding the issue you reported and the feature request, we plan to optimize this in Q3. The kill switch button is not gonna be available but we will optimize the VPN tunnel switch mechanism to address the problem.
ER605 V2 and ER8411 will be optimized in high priority and following the other models.
Please note that this will involve an adapted firmware, not just a controller update. Firmware development is a complex process, and timelines may change. Therefore, we cannot provide a specific release date at this time. Please stay tuned to future firmware release notes for updates.
When introducing a feature like this, we typically apply it uniformly across all models to ensure consistency and a seamless user experience.
However, it's essential to acknowledge that hardware limitations may exist, which might prevent us from adding the feature to certain models. In such cases, we cannot provide individual notifications explaining the reason. Please note that we cannot guarantee the fulfillment of all requests, and we must set clear expectations upfront.
- Copy Link
- Report Inappropriate Content
Hi @Rigaro
Thanks for posting in our business forum.
Can you point out a brand/vendor that supports this feature on their routers?
MisterW gave the solution by using the Policy Routing. That's the only proper way to use it.
- Copy Link
- Report Inappropriate Content
AsusWRT Merlin has a built-in killswitch that ensures nothing will leak over the WAN connection. This is a very important feature that some ASUS routers have built-in to ensure that all internet traffic goes through the remote ISP. If the VPN fails my devices will not access the internet through my local ISP.
Just to be clear, if I have two ER605 VPN routers, I don't need a solution that implies connecting to 3rd party solutions like Nord VP or Express VPN. I need to be able to do this without any DNS leaks.
I found a solution using routing rules with "only option" and firewall rules to block any access to my local ISP when the VPN is disabled or the remote ER605 modem is down. That solution partially works because there is a 15-second window that allows any tool IP detection tool to detect my local IP. After about 15 seconds, all devices connected to my local ER605 stop accessing the internet until the VPN connection is re-established.
Therefore, there must be a much better way to implement a "kill switch" that avoids the 15-second DNS leak.
- Copy Link
- Report Inappropriate Content
Hi @Rigaro
Thanks for posting in our business forum.
Except for Merlin open-source firmware. Any other vendor like Cisco or UNBT? We don't usually consider them as our competitors as they are more home-oriented. OpenWRT and other open sources as well.
Cisco, UBNT, and Mikrotec are more worthy of consideration and evaluation. Would appreciate it if you could offer some information about that as supplementary info.
- Copy Link
- Report Inappropriate Content
Cisco also has support for a kill switch in some models and if it is not available it is possible to use routing policies and firewall rules to accomplish the same result without any leaks. I can do the same thing with my TPLINK ER605, but the problem is that it leaks my actual IP for 15 to 20 seconds until the routing policies and firewall rules take effect.
Since I have not provided any public reviews about TPLINK, I think that it is time to provide my feedback and this security issue that I found because as a customer I expect that any hardware that I buy will have the expected behaviour regarding security and DNS leak is a very important issue.
This is an issue that affects business and home users and the reason why I bought these routers is that I'm testing different brands to establish connectivity between different locations and I don't want any location to be able to access their local internet connection directly.
- Copy Link
- Report Inappropriate Content
Hi @Rigaro
Thanks for posting in our business forum.
Rigaro wrote
Cisco also has support for a kill switch in some models and if it is not available it is possible to use routing policies and firewall rules to accomplish the same result without any leaks. I can do the same thing with my TPLINK ER605, but the problem is that it leaks my actual IP for 15 to 20 seconds until the routing policies and firewall rules take effect.
Since I have not provided any public reviews about TPLINK, I think that it is time to provide my feedback and this security issue that I found because as a customer I expect that any hardware that I buy will have the expected behaviour regarding security and DNS leak is a very important issue.
This is an issue that affects business and home users and the reason why I bought these routers is that I'm testing different brands to establish connectivity between different locations and I don't want any location to be able to access their local internet connection directly.
I understand that. So the thing you said, Cisco supports that, can you list the models? I searched on Google and I don't find any models mentioning it. All I see is the software that Cisco has. Not their hardware routers.
Confirm your feature request again:
Your VPN usage scenario is to mask your real IP address in a Client-to-Site VPN. You hope that the router should have a kill switch feature on when it works as a client. Correct?
- Copy Link
- Report Inappropriate Content
I may have understood wrong, but someone is clearly asking for a feature, that is absolutely plausible and made it in a very clear way and TPLink is demanding him to give evidence and point others who do that?
Is that it?
TPLink, you're a provider. You have to come up with solutions for people's demands.
If for some reason you're not able to or don't want to, just say it.
I would appreciate a LOT a vpn kill switch integrated and I'm no expert and I don't know about other brands or models.
If you really want me to go there search for other equipment who does that, I can go. If I find, should I buy it too?
- Copy Link
- Report Inappropriate Content
Hi @almeida123
If you don't want to provide, that's fine. I, personally, did not FORCE anyone to give proof or evidence. I need that for the report to the dev and that would be helpful for the dev to learn what others do when it comes to a function you ask. Fact is that I still report it if you don't have it.
This is not open source and everyone can add a line to it and make it functional. In the dev's eye, it's only a project and paperwork needs to be done on a project. It goes through the evaluation and is placed in the requests pool and is pending to be developed.
Usually, a feature that's available on the competitor device would bring the priority and schedule a little bit up.
If you look at every request I replied, I ask this every time because I know how the dev team works. I am working with the tech support and forum, and I am doing my best to provide any information that benefits both people and the dev. But I am not almighty and I don't program so I cannot do anything with your requests but report it. My reports simply reflect how many people want a feature and it could be just a number to the dev if I am not putting something convincing or informational.
Like I said, it takes time for a feature and if it fails the evaluation, that'll not be available. If I have a definite answer to a request that's been denied, I'll let people know.
- Copy Link
- Report Inappropriate Content
since i am not able to post a link, under restoreprivacy dot com, you can find a list of routers that support a kill switch
Among them are business routers like ASUS for example.
Please get this security issue fixed ASAP.
Thank you
- Copy Link
- Report Inappropriate Content
Hi @tmp-link
tmp-link wrote
since i am not able to post a link, under restoreprivacy dot com, you can find a list of routers that support a kill switch
Among them are business routers like ASUS for example.
Please get this security issue fixed ASAP.
Thank you
Thank you for your feedback and post. We have forwarded your request to our developer team for evaluation.
To stay updated on firmware releases, we recommend subscribing to the pinned thread on the related page or regularly checking our official website where new releases are typically announced promptly.
Please note that all requests undergo thorough evaluation by our developer team before being added to the roadmap. This process may take some time, so please be patient if you don't see immediate results. Features with lower priority or fewer user reports might experience delays in implementation as we gather more feedback.
It is important to understand that submitting a request does not guarantee its implementation; only requests that pass the evaluation will be considered for inclusion in future updates.
- Copy Link
- Report Inappropriate Content
I have the same issue.
The topology is very simple 2 omadas (headquarters and branch) , one of them is L2TP server the other is client. Everything works perfectly, the branch can navigate on internet through the tunnel (it is good because I want to control the navigation and other things of the branch office).
When the tunnel is down, the branch office can navigate standalone just for 15 sec , the problem from my point of view is the policy routing.
I called Customer Support and they suggested me to using the controller , it was a nightmare, the UI is better.
Does someone find a fix to this issue? it is a SECURITY BUG
- Copy Link
- Report Inappropriate Content
Information
Helpful: 7
Views: 2999
Replies: 23