Help setting up a kill switch

[stankovic]

I use firefox portable with my softether and I would like to set a kill switch. Normally when using regular firefox, I can easily set a kill switch using firewall properties (inbound and outbound connections), however this rule doesn't apply to firefox portable, I have tried numerous times but it just wouldn't work. I would be grateful if someone could suggest a kill switch setting or app that can help cut off all connection in case of IP leak.

[cedar]

Simply, you should remove the default gateway for ISP.

[ray5450]

If you mean to do this, while Softether is connected: route delete 0.0.0.0
...what this will do is remove internet access for Softether, even though Softether appears still connected.

Does anyone have the real answer?

[cedar]

When multiple default gateways are defined, please specify the gateway parameter if you want to remove only one.

[ray5450]

The table has only one entry for 0.0.0.0, which is the one and only default, right?

[cedar]

If successful, you should have at least two default gateways defined, one for the physical network and one for the VPN side network.

[ray5450]

Are "the default gateway for ISP" and "the physical network" referring to the same?

[cedar]

There may be a home router between the physical network and the ISP router, so it's not exactly the same, but you can think of it as about the same.

[ray5450]

"If successful, you should have at least two default gateways defined, one for the physical network and one for the VPN side network."
--What do you mean by "successful"?

[cedar]

If a new Internet connection is provided using a VPN, you probably have a default gateway or an equivalent split route.
The split path may be provided, for example, in the form of a netmask of 1.0.0.0.

[ray5450]

When Softether VPN is not connected, here is my route table:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.52 20
10.0.0.0 255.255.255.0 On-link 10.0.0.52 276
10.0.0.52 255.255.255.255 On-link 10.0.0.52 276
10.0.0.255 255.255.255.255 On-link 10.0.0.52 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.0.0.52 276
255.255.255.255 255.255.255.255 On-link 10.0.0.52 276

When Softether VPN is connected, here is my route table:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.238.254.254 10.238.20.116 20
10.0.0.0 255.255.255.0 On-link 10.0.0.52 276
10.0.0.52 255.255.255.255 On-link 10.0.0.52 276
10.0.0.255 255.255.255.255 On-link 10.0.0.52 276
10.238.0.0 255.255.0.0 On-link 10.238.20.116 276
10.238.20.116 255.255.255.255 On-link 10.238.20.116 276
10.238.255.255 255.255.255.255 On-link 10.238.20.116 276
75.75.75.75 255.255.255.255 10.0.0.1 10.0.0.52 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
219.100.37.86 255.255.255.255 10.0.0.1 10.0.0.52 20
224.0.0.0 240.0.0.0 On-link 10.0.0.52 276
255.255.255.255 255.255.255.255 On-link 10.0.0.52 276


What should be changed such that when VPN disconnects, ISP will not connect?

[flygun]

1, delete default route before SE Client connect to server

Code: Select all

#windows admin terminal
route delete 0.0.0.0
#linux 
sudo ip route delete default

2, add youre SE Server's IP to the route , so you can not go anywhere except you SE server.

Code: Select all

#windows admin terminal (supose your ADSL router gatway ip 192.168.0.1 ,  xxx.xxx.xxx.xxx is youre SE server IP)
route add xxx.xxx.xxx.xxx/32 192.168.0.1
#linux 
sudo ip route add xxx.xxx.xxx.xxx/32 via 192.168.0.1

3, start your SE client connect, when SE client connected, it will add 0.0.0.0 to a gateway by SE Server, so you can go internet by SE Server

4, when SE client disconnect , It will delete 0.0.0.0, and you can not go any where except you SE server.

[flygun]

5, when you need go out by you ISP , just add default gateway to your 192.168.0.1

Code: Select all

#win
route add 0.0.0.0/0 192.168.0.1
#or
route add 0.0.0.0 mask 0.0.0.0 192.168.0.1
#linux
sudo ip route add default via 192.168.0.1
#or 
sudo ip route add 0.0.0.0/0 via 192.168.0.1

[ray5450]

(I am sorry that the tables I posted are not spaced in a very readable way. I had them spaced, but after posting, the spaces were removed (?).)

Doggone! It worked! Thank-you. I have been waiting a long time for that, as evidenced in the other thread.



I had been expecting to use a batch file for this, but that can't be since the host IP is variable and must be manually typed each time.

[ray5450]

Important:

I would add here that if the connection is a wireless connection/router, disable auto-reconnect in Windows (etc). I would not think it could, but mine somehow reconnects unless I disable auto-reconnect.

[solo]

Important:

I would add here that if the connection is a wireless connection/router, disable auto-reconnect in Windows (etc). I would not think it could, but mine somehow reconnects unless I disable auto-reconnect.

Important #2

- in VPN connection properties check "No Adjustments Of Routing Table" https://www.vpnusers.com/viewtopic.php? ... 682#p98542

[ray5450]

I found the "no adjustments" setting.

What is it that this does, or prevents? Thanks.

[solo]

It prevents SoftEther from automatic reinstatement of the original default gateway when VPN connection breaks later for any reason, which would kill YOUR kill switch.

[ray5450]

Does the Windows setting accomplish the same effect?

Is doing both optional or necessary (as compared to one of either)? ...or is doing both all the better?

Is the SE setting better?

Thanks.

[solo]

On SE Linux do as advised earlier.

On SE Windows do both. Analyze your routing table before and during VPN connection, then prepare specific kill switch batch files. This is easy for VPN to your own server but for VPN Gate you'll need lots of batch files.

[ray5450]

Yes, I know how to do it just fine. That was not my question, but thanks.

[solo]

Alright, here is a short version - unless you check "No Adjustments Of Routing Table", whatever you do ain't a kill switch.

[ray5450]

Thanks.

I do not disagree with you. I only was wondering what the difference is between the final effect of disabling Windows auto-reconnect and SE "No Adjustments Of Routing Table".

[ray5450]

When I try to check "No Adjustments Of Routing Table", and then close/save the setting, the following error displays:
"Unacceptable operation. Use the VPN Gate Utility to modify the connection setting for VPN Gate Public VPN Relay Servers."

I have searched the web, the site, and the forum and do not find anything as to a "VPN Gate Utility".

?

[solo]

Use the standard "SoftEther VPN Client Manager" and connect like eg:

host: public-vpn-185.opengw.net/tcp
port: 443
vhub: VPNGATE
user: vpn
pass: vpn

"No Adjustments Of Routing Table" OK

[ray5450]

After doing so, how then, would I connect to a server on the SE server list?

[solo]

The list https://www.vpngate.net/en/
and do not use vpngate-client, use softether-vpnclient

[ray5450]

I would add here that if the connection is a wireless connection/router, disable auto-reconnect in Windows (etc). I would not think it could, but mine somehow reconnects unless I disable auto-reconnect.

This is a copy of my above post. Why did you repost it?

[ray5450]

The list https://www.vpngate.net/en/
and do not use vpngate-client, use softether-vpnclient

I'm not sure what you are saying.

Here is a narrative of what I am seeing.

In installed software, is listed "Softether VPN Client Manager". I opened this. Next, under the top Menu item "Connect", there is a drop down item, "New VPN Connection Setting". I opened this, and is where I entered/changed the settings that you previously posted. After saving ("OK"), it closes, and a new entry line appears which says:
"New VPN Connection" "Offline" "public-vpn-185.opengw.net/tcp(Direct TCP/IP Connection)" "VPNGATE" "VPN"
The entry above this line is called "VPN Gate Public VPN Relay Servers", which opens the list of servers.
Is this correct, so far?

If so...
If I then open the list of servers under "VPN Gate Public VPN Relay Servers", and connect to one, the "New VPN Connection" for which you supplied the settings for, says "Offline". Should it?

I then asked you, "how then, would I connect to a server on the SE server list?"

You offered the list of servers as listed on a webpage, and said, "do not use vpngate-client, use softether-vpnclient".
I would think that "softether-vpnclient" is the same as "Softether VPN Client Manager"?

[solo]

It's drifting off topic. Everything is already described.

Yes, I know how to do it just fine.

Proceed.

[ray5450]

Off topic?? Everything I said is in regard to setting this "kill switch" to work using the information you mention, and the topic name is indeed "help setting up a kill switch". Please, explain how my asking whether the software settings you provided were implemented correctly, whether it should say "offline", what is its relation to the relay servers, and whether we are referring to the same software, are "off topic".

Further, this whole forum is about assisting with this software. One issue that relatedly leads to another all in regard to SE could not be off topic. If I asked for a recipe for chocolate cake, that would be off topic.

"Yes, I know how to do it just fine."--This was in response to changing the route table in command line. I am not asking about that.

Are you, in fact, understanding what I asked in my previous post?

[solo]

Are you, in fact, understanding what I asked in my previous post?

Of course. I do not write tutorials.

[ray5450]

No one asked you to. A "tutorial" is not the answering of a few questions.

Since you understand my questions and apparently refuse to answer, what, indeed, is the purpose of this forum if not to help people with this software?

Maybe you need me to ask one question at a time. Were the software settings you provided, implemented correctly as I described it to you? (that would be a yes, or no)

[ray5450]

Maybe you misunderstand me, when I said, "After doing so, how then, would I connect to a server on the SE server list?"

I have used this software for many years. I know how to connect to these servers, but have only done so through, what I believe to be called the host list plugin. I here emphasize from above, "AFTER doing so..." (meaning from previous post, after changing the settings).

I believe I have figured this out. I can replace the host you offered (public-vpn-185.opengw.net/tcp) with any of the servers on the list. Correct?

[ray5450]

From previous post: "I believe I have figured this out. I can replace the host you offered (public-vpn-185.opengw.net/tcp) with any of the servers on the list. Correct?"

Is this true? Please, answer yes or no.

[solo]

yes