VPN killswitch in ROS7

kakana · March 24, 2022, 11:13am

I am trying to implement a killswitch for ProtonVPN IPsec setup. However, their guide provides commands only for ROS6. So I am trying to translate these for ROS 7.1:

/interface bridge add name=protonvpn_blackhole protocol-mode=none
/ip route add gateway=protonvpn_blackhole routing-mark=protonvpn_blackhole
/ip firewall mangle add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes

I came up with something like this:

/routing table add name=protonvpn_blackhole fib
/ip firewall mangle add chain=prerouting src-address-list=10.0.20.0/24 action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes

However, , it doesn’t seem to work as when the VPN is down, I am still able to access internet using my ISPs IP and DNS. Do you have any suggestions how to better translate the recommended killswitch from ROS6 to 7.1?

kevinds · April 14, 2022, 10:43pm

I would remove the default route going to your ISP. Set a single route for the VPN server..

With the default route set for the VPN, no other traffic will have a route if the VPN is down.

Removing other src-nat rules so that only the VPN’s interface src-nat rule provides NAT would work too.

msatter · April 15, 2022, 6:35pm

If you remove the default gateway then IKEv2 also stops working because it is also used that to make their connection.

avraamd · May 7, 2022, 11:11am

I am trying to implement a killswitch for ProtonVPN IPsec setup. However, their guide provides commands only for ROS6. So I am trying to translate these for ROS 7.1:
/interface bridge add name=protonvpn_blackhole protocol-mode=none
/ip route add gateway=protonvpn_blackhole routing-mark=protonvpn_blackhole
/ip firewall mangle add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes
I came up with something like this:
/routing table add name=protonvpn_blackhole fib
/ip firewall mangle add chain=prerouting src-address-list=10.0.20.0/24 action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes
However, , it doesn’t seem to work as when the VPN is down, I am still able to access internet using my ISPs IP and DNS. Do you have any suggestions how to better translate the recommended killswitch from ROS6 to 7.1?

Did you manage to translate it to ROS7 successfully? I also have this problem.

kakana · May 26, 2022, 9:42pm

Sorry, I didn’t receive any notification about new posts in this discussion. I contacted ProtonVPN and here is what they sent me, which seems to work fine:

/interface bridge add name=protonvpn_blackhole protocol-mode=none
/routing table add name=protonvpn_blackhole fib
/ip firewall mangle add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes
/ip route add routing-table=protonvpn_blackhole gateway=protonvpn_blackhole

msatter · May 27, 2022, 1:42am

You have this src-address-list=10.0.20.0/24 and should be src-address=10.0.20.0/24

surinameclubcard · August 8, 2022, 9:13pm

Unfortunately this didn’t work for me. Adding this snippet disallows clients to communicate through the IPsec completely. If I disable the mangle line, it instantly works again. I have no clue about this. ROS 7.4 on RB4011.

Romanowski · October 31, 2022, 2:17pm

Has there been any update on this? I would like to implement the same thing

darkman · March 7, 2025, 7:52pm

anav · March 7, 2025, 9:06pm

Not sure why you need a killswitch, if traffic doesnt have a route out the local WAN it aint going to leak, but in any case,
conceptually speaking what you need to do is configure this in routes using distance separation, at least I think

so
/routing table
add fib name=protonvpn
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=VPN-gateway routing-table=protonvpn distance=1
add blackhole disabled=no dst-address=0.0.0.0/0 gateway=VPN-gateway routing-table=protonvpn distance=2

Now what is not known is how you are forcing or directing subnet traffic to the VPN??
I will assume by routing rules and then mangles
/routing rule
add min-prefix=0 action=lookup-only-in-table table=main
add src-address=subnet-to-ONLY-VPN action=lookup-only-in table table=protonvpn

if by mangling…

/ip firewall address-list
add address=local-SubnetA list=connected
add address=local-SubnetB list=connected
add address=local-SubnetC list=connected
/ip firewall mangle
add chain=prerouting action=accept src-address-list=connected dst-address-list=connected
add chain=forward action=mark-connection connection-mark=no-mark dst-address-type=!local
src-address=subnet-For-Only-VPN new-connection-mark=to-VPN passthrough=yes
add chain=prerouting action=mark-routing connection-mark=to-VPN
new-routing-mark=protonvpn passthrough=no

and of course adjust fasttrack rule
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related connection-mark=no-mark

darkman · March 7, 2025, 10:06pm

Not sure why you need a killswitch, if traffic doesnt have a route out the local WAN it aint going to leak, but in any case,
conceptually speaking what you need to do is configure this in routes using distance separation, at least I think

so
/routing table
add fib name=protonvpn
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=VPN-gateway routing-table=protonvpn distance=1
add blackhole disabled=no dst-address=0.0.0.0/0 gateway=VPN-gateway routing-table=protonvpn distance=2

Now what is not known is how you are forcing or directing subnet traffic to the VPN??
I will assume by routing rules and then mangles
/routing rule
add min-prefix=0 action=lookup-only-in-table table=main
add src-address=subnet-to-ONLY-VPN action=lookup-only-in table table=protonvpn

if by mangling…

/ip firewall address-list
add address=local-SubnetA list=connected
add address=local-SubnetB list=connected
add address=local-SubnetC list=connected
/ip firewall mangle
add chain=prerouting action=accept src-address-list=connected dst-address-list=connected
add chain=forward action=mark-connection connection-mark=no-mark dst-address-type=!local
src-address=subnet-For-Only-VPN new-connection-mark=to-VPN passthrough=yes
add chain=prerouting action=mark-routing connection-mark=to-VPN
new-routing-mark=protonvpn passthrough=no

and of course adjust fasttrack rule
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related connection-mark=no-mark

Hello Anav,

many thanks for your quick answer! Unfortunately I am not able to understand everything you wrote.

Not sure why you need a killswitch, if traffic doesnt have a route out the local WAN it aint going to leak, but in any case,

Because if the tunnel goes down, there will be leaking. I tried to stop the VPN and the internet connection is still working, hence the IP address and location is exposed

Now what is not known is how you are forcing or directing subnet traffic to the VPN??
I will assume by routing rules and then mangles

I have followed and implemented this guide:
https://support.nordvpn.com/hc/en-us/articles/20398642652561-MikroTik-IKEv2-setup-with-NordVPN

No, there is no mangle in this guide.
Furthermore:

local-SubnetA, local-SubnetB, local-SubnetC - I think those addresses could change. I prefer to have a configuration which will work regardless of the VPN Server I connect to and regardless of the ISP or SIM card which I insert into the router.

Many thanks!