I’ve configured a Wireguard VPN, and a PBR rule to send all traffic from one specific network over that VPN.
This works great when the VPN is up, but no matter what I do I can’t get the killswitch to work, and any time the VPN goes down, traffic reverts to the default gateway.
- I’ve tried pausing the VPN (though I saw the short to say this wouldn’t work).
- I’ve tried blocking access to the VPN endpoint, which also prevents the VPN from coming up and again I see traffic fall back to the default gateway.
- I’ve tried using incorrect settings in the wireguard conf file, but again, I see fallback to default gateway.
- I’ve tried shutting down the VPN on the remote site (I’m hosting the VPN it’s not commercial) , again no joy, as soon as the VPN interface drops traffic reverts to the default gateway.
To me, it seems the only time a KillSwitch is useful is if the VPN goes down, but it won’t work in this scenario. Which leads me to the question is the KillSwitch broken functionality for VPNs? Does it only work for physical interfaces?
I’ve also tried various ways to block traffic to my gateway address, but the UI only allows me to block the “External“ zone, and doesn’t allow me to set which network within the Zone to block access to.
I have a ticket opened with UniFi, but all I’ve gotten so far is a generic we’ll look into it and get back to you response.
I’m hoping someone here can either confirm it’s broken behaviour so I can stop wasting my time and wait for a fix, or maybe provide some kind of workaround?