Asuswrt-Merlin offers robust scripting capabilities for a VPN kill switch, ensuring no unencrypted traffic leaks if the VPN connection drops. This configuration uses nftables for reliable packet filtering.
Asuswrt-Merlin firmware installed on your Asus router.
CactusVPN account and configured OpenVPN or WireGuard client.
SSH access enabled on your router.
Connect via SSH: Use an SSH client (e.g., PuTTY, Terminal) to connect to your router using its local IP address.
Create vpn-down script: Create a script that blocks all non-VPN traffic when the VPN connection drops.
#!/bin/sh
# Flush existing rules
nft flush table inet filter
# Create table and chains
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0; policy drop; }
nft add chain inet filter output { type filter hook output priority 0; policy drop; }
nft add chain inet filter forward { type filter hook forward priority 0; policy drop; }
# Allow established/related connections
nft add rule inet filter input ct state {established, related} accept
nft add rule inet filter output ct state {established, related} accept
nft add rule inet filter forward ct state {established, related} accept
# Allow traffic on the VPN interface (replace tun11 with your interface)
nft add rule inet filter output oifname "tun11" accept
nft add rule inet filter input iifname "tun11" accept
nft add rule inet filter forward oifname "tun11" accept
nft add rule inet filter forward iifname "tun11" accept
# Allow local network traffic (replace 192.168.1.0/24 with your LAN subnet)
nft add rule inet filter input ip saddr 192.168.1.0/24 accept
nft add rule inet filter output ip daddr 192.168.1.0/24 accept
nft add rule inet filter forward ip saddr 192.168.1.0/24 accept
nft add rule inet filter forward ip daddr 192.168.1.0/24 accept
# Allow DNS resolution (replace router_ip with your router's IP)
router_ip=$(nvram get lan_ipaddr)
nft add rule inet filter output ip daddr $router_ip udp dport 53 accept
nft add rule inet filter output ip daddr $router_ip tcp dport 53 accept
nft add rule inet filter input udp sport 53 ip saddr $router_ip accept
nft add rule inet filter input tcp sport 53 ip saddr $router_ip accept
# Log dropped packets for debugging (optional)
nft add rule inet filter input log prefix "Dropped Input: " drop
nft add rule inet filter output log prefix "Dropped Output: " drop
nft add rule inet filter forward log prefix "Dropped Forward: " drop
echo "Kill switch enabled"
exit 0
Create vpn-up script: Create a script to remove the kill switch rules when the VPN is connected.
#!/bin/sh
nft flush table inet filter
echo "Kill switch disabled"
exit 0
Save Scripts: Save both scripts as /jffs/scripts/vpn-down and /jffs/scripts/vpn-up. If the /jffs/scripts directory does not exist, create it.
Make Scripts Executable:
chmod +x /jffs/scripts/vpn-down
chmod +x /jffs/scripts/vpn-up
Configure OpenVPN/WireGuard Client: In the Asuswrt-Merlin web interface, navigate to the VPN client settings and configure CactusVPN as usual.
Add Custom Configuration: In the custom configuration section of the VPN client, add the following lines (replace tun11 with your VPN interface):
script-security 2
up /jffs/scripts/vpn-up
down /jffs/scripts/vpn-down
VPN Interface: Verify the correct VPN interface name (e.g., tun11, wg0) using ifconfig via SSH.
DNS: Ensure DNS resolution works correctly after the VPN connects.
LAN Subnet: Double-check that the LAN subnet in the vpn-down script matches your network configuration.
JFFS Partition: Ensure the JFFS partition is enabled and properly formatted.
Script Permissions: Incorrect script permissions can prevent the kill switch from functioning.
Syntax Errors: Double-check the script syntax for errors, especially IP addresses and interface names.
Verify Asuswrt-Merlin is installed.
Confirm SSH access is enabled.
Create and save vpn-down and vpn-up scripts.
Set executable permissions on both scripts.
Configure CactusVPN OpenVPN/WireGuard client.
Add custom configuration lines.
Test the kill switch by disconnecting the VPN. Verify all traffic is blocked.