I’m trying to test my kill switch. I disable the Local under Wireguard and try to curl an IP. I don’t see any blocks in the logs but I do see tons of allows based on the LAN rule. Here are my configs:
LAN side:
https://imgur.com/a/zKLXWyX
Floating/WAN side
The Floating/WAN rule is the top rule under Floating so it’s not a matching order issue.
If these look right, how can I test this?
Looks pretty good to me. The only difference is that I set the direction to ‘any’ on the floating rule for extra catching.
Also, make sure that “Skip rules when gateway is down” is checked in Firewall → Settings → Advanced. Otherwise, the LAN rule forcing the traffic to route through the VPN gateway will be skipped and traffic passed to the default when the VPN gateway is detected as down.
To test, just add your PC’s ip address to the alias list ‘AirVPN_US_Hosts’ and check your IP address using something like: https://dnscheck.tools/ with the WG gateway up and down.
That seems wrong - did you mean that it is “unchecked” as we want the LAN rule to be used, right? Though this sure seems like the right answer. The language in the help is a bit sideways so I want to be sure.
By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway
The part in bold is sort of confusing gibberish.
Edit: I think I get it - it’s saying it creates a new ruler to intercept and put out the default gateway. Which is bizarre as if I force a failure of the VPN/gateway traffic seems to black hole.
I do mean ‘checked’. It’s a terribly worded setting. As I understand, checking makes it skip the auto-generated rules to send to the default gateway. So yes, I wish this description was changed to something less confusing.
I like to think of the setting when checked as: “Don’t create any new rules to send traffic to the default gateway.”
Excellent. I’ll try it. Thank you. I had no idea this setting existed. It’s also not mentioned here where they mention a kill switch…
The more I think about it, it might not be required anyway. Even if that tagged traffic tries to exit the default GW, your floating rule should still be able to catch it.
I do think changing the direction of the floating rule to ‘any/both’ instead of just ‘out’ is the key here.