Business CommunityGatewaysVPN Kill Switch or work around.
Gateways

VPN Kill Switch or work around.

VPN Kill Switch or work around.

VPN Kill Switch or work around.
VPN Kill Switch or work around.
Yesterday - last edited Yesterday
Tags: #VPN
Model: ER707-M2  
Hardware Version: V1
Firmware Version: 1.5.18 Build 20260506 Rel.79588 (Stable)

I am trying to set up a VPN kill switch for specific VLANs/networks on my Omada setup.

My goal is:

  • IOT
  • Work Bench
  • 3D-Printers

These networks should use my Omada VPN Client connection to ProtonVPN only.

What I want:

  • If the VPN Client is connected, those networks should have internet through the VPN.
  • If the VPN Client disconnects, is disabled, or fails, those networks should have no internet access.
  • I do not want those networks to fall back to my normal WAN connection.

Current Omada hardware and firmware:

  • Gateway: ER707-M2 v1.0 — Firmware 1.4.2
  • Main Switch Multi-Gig PoE++: SG3428XPP-M2 v1.20 — Firmware 1.20.26
  • Bedroom AP WiFi 7: EAP775-Wall(US) v1.0 — Firmware 1.0.5
  • Living Room WiFi 7: EAP723(US) v2.0 — Firmware 1.2.2
  • Outdoor AP: EAP225-Outdoor(US) v3.0 — Firmware 5.2.3
  • Rack Wall WiFi 7: EAP725-Wall(US) v1.0 — Firmware 1.2.2

Current VPN setup:

  • VPN Client configured with OpenVPN / ProtonVPN
  • VPN Client local networks selected:
    • IOT
    • Work Bench
    • 3D-Printers

The VPN routing works normally when the VPN is connected.

The issue is trying to create a kill switch.

I tried creating a Gateway ACL:

  • Direction: LAN → WAN
  • Policy: Deny
  • Protocols: All
  • Source: IOT, Work Bench, 3D-Printers
  • Destination: IPGroup_Any

But when that rule is enabled, it kills all internet access for those networks even when the VPN Client is connected. So it appears Omada still treats the VPN traffic as LAN → WAN, and the ACL blocks the VPN-routed traffic too.

I also checked Policy Routing, but it only lets me select physical WAN ports such as:

  • 2.5G WAN1
  • WAN/LAN3

It does not show the VPN Client tunnel, such as ProtonVPN_US, as a selectable route/interface.

So my question is:

Is there a supported way in Omada to make selected local networks/VLANs use the built-in VPN Client only, and block them from falling back to the normal WAN if the VPN goes down?

Basically, I need a true VPN kill switch for Omada VPN Client local networks.

If this is not currently supported, please confirm. It would be a very useful feature to have, such as:

  • “Block traffic if VPN Client disconnects”
  • “Do not fall back to WAN”
  • Policy Routing destination/interface option for VPN Client tunnels
  • ACL matching based on outbound interface/VPN tunnel

Thanks.

  0      
0
#1
Options
2 Reply
Re:VPN Kill Switch or work around.
Yesterday

Hi  @pwnjuic3 

 

Thanks for posting here. 

Currently, OpenVPN does not support this scenario. It is recommended that you configure an PPTP or L2TP VPN combined with policy routing to achieve this.

Controller v6.2 VPN Overview

 

How to configure Policy Routing on Omada Gateway

Wish you a happy life and smooth network usage!  Help Us Improve - Omada AP Installation Guide >Get the Latest Omada SDN Controller Releases Here< >Get the Latest Firmware Releases for Omada Routers Here< >Experience the Latest Omada EAP Firmware<
  0  
0
#2
Options
Re:VPN Kill Switch or work around.
Yesterday

  @Vincent-TP 

 

Thanks for the reply.

That confirms the issue I was seeing with OpenVPN Client.

In my case I am using ProtonVPN, and ProtonVPN does not support PPTP or L2TP/IPsec. They only support modern protocols such as OpenVPN and WireGuard, so the suggested PPTP/L2TP workaround will not work with my VPN provider.

Can you confirm whether this same kill-switch / no-WAN-fallback behavior is possible with WireGuard VPN Client on Omada?

What I need is:

  • Selected local networks/VLANs use the VPN Client only
  • If the VPN Client disconnects or fails, those VLANs lose internet
  • They must not fall back to the normal WAN

If this is not currently supported for OpenVPN or WireGuard VPN Client, can this be submitted as a feature request?

Suggested feature:

  • “Block traffic if VPN Client is disconnected”
  • “Do not allow VPN Client local networks to fall back to WAN”
  • Allow VPN Client tunnels such as OpenVPN/WireGuard to be selected in Policy Routing
  • Allow ACL rules to match outbound VPN/WAN interface

Thanks.

  0  
0
#3
Options

Information

Helpful: 0

Views: 121

Replies: 2

Tags

VPN