Recently I wanted to setup an always on vpn tunnel for downloading and seeding torrents. It also had to have a “kill switch” in the event the vpn was disconnected. I wanted this to be done at the router/firewall so I could manage the traffic going through the vpn seamlessly and I did not have to mess around with individual vpn clients installed on end devices.
I personally use Untangle for my router/firewall because I like it much more than Pf-sense. Just a personal preference. Unfortunately all the “whole home” vpn guides seem to be made for Pf-sense and not Untangle. Because of this I wanted to make a guide on how I did this with Untangle. Hopefully this helps someone else out.
- Untangle firewall
- “Tunnel VPN” app installed on Untangle
- Vpn provider
Setting Up the Tunnel
- Login to your Untangle firewall configuration page.
- Click apps at the top of the page.
- Click “Tunnel VPN”. You may need to install this app.
- Once in the Tunnel VPN app click the tunnels tab.
- Click add on the top left of the tunnel vpn page.
- Pick your vpn provider type and input the information for your vpn provider. Then click save.
- You can check if you were successful by clicking the status tab and checking to see of the newly added tunnel is connected. Below you can see where one tunnel is connected and the other is disconnected.
8. Now that we have a vpn tunnel we can to go to the rules tab and configure what traffic will be sent out of this tunnel. Click add at the top of the page again. Give the rule a name. Click add condition. Source interface or source address is the easiest to manage. Then select your vpn tunnel at the bottom.
In my use case I want all traffic from “vlan5” (source interface) to go out “tunnel canada” as seen in the picture below.
9. At this point you can test if untangle is routing traffic through the vpn by visiting https://www.whatismyip.com/
Below is a screen grab from an Ubuntu vm that I have set to use vlan5. I do not live in Canada nor is my ISP Amanah Tech inc. Also note the ad for Crave TV. Crave TV is not available in the US.
Setting Up the Kills Switch
Now we are basically going to create a firewall rule that says if traffic from “here” wants to go out “here” block it. In my case I want all traffic from “vlan 5” to go out “tunnel-Canada”. So I created a rule that says anything from “vlan 5” that wants to go out destination interface “casey nic” (my wan card) or wan block it . You can see the rule in the picture below. This creates a kill switch effect because the only way for traffic to exit the router is via the wan or vpn. If the vpn goes down I am not allowing traffic to exit via the wan.
Creating the Firewall Rule
- Click on apps at the top of the page.
- Click Firewall.
- Click add.
- Click add condition. Choose source interface first and select the same source you chose when setting up the vpn tunnel. Then click add again and choose destination interface. Choose your wan for this. Then select action type block.
- Click done.
- Click save.
To test if your kill switch works turn off the tunnel vpn app. Then visit https://www.whatismyip.com/ again. If this or any other website loads and you are still connected to the internet something is wrong.