OpenVPN killswitch, problem with pfctl
-
Hello!
I created simple killswitch for openvpn: when client is connected it allow internet connection for LAN users, when client is disconnected access is denied.
I got a strange problem with state killing. When script work from openvpn it can't kill all states, so some LAN connection that active still work when VPN client is disconnected.How it works:
In OpenVPN server Custom options:
script-security 3 system;
client-connect /usr/local/sbin/up.sh;
client-disconnect /usr/local/sbin/down.sh;up.sh:
#!/bin/sh/usr/local/bin/easyrule unblock lan 192.168.56.0/24
/sbin/pfctl -k 192.168.56.0/24down.sh:
#!/bin/sh/usr/local/bin/easyrule block lan 192.168.56.0/24
/sbin/pfctl -k 0.0.0.0/0
/sbin/pfctl -k 192.168.56.0/24It work as needed, but pfctl command is works really strange from openvpn. When I run up/down scripts from console it kill all states without any problem. When VPN client is disconnected some states remains intact (I know that: pfctl command is executed, because I got disconnected from SSH, but ping on test machine is going without interruptions).
What I'm missing here? :)
-
What I use as a kill switch is a firewall rule that blocks all traffic on the WAN interface.