---
name: openwrt-network-hardening
description: "Harden and verify OpenWrt VPN deployment with fail-closed routing, DNS leak prevention, and operational checks for split tunneling/GeoIP/ASN rules. Use when: openwrt hardening, vpn leak prevention, kill switch openwrt, verify split tunnel, validate geoip/asn policy."
argument-hint: "Applied or planned OpenWrt VPN configuration"
---

# OpenWrt Network Hardening

Finalize reliability, security, and day-2 operations after VPN routing setup.

## Procedure

### Step 1 - Fail-Closed and Leak Controls

Define controls:
- kill-switch or fail-closed path for protected traffic
- DNS leak prevention between WAN and tunnel
- default-deny posture for sensitive tunnel-marked flows

### Step 2 - Service Robustness

Set:
- service dependency ordering
- restart policies
- health-check commands
- basic rollback strategy

### Step 3 - Monitoring and Troubleshooting

Provide checks for:
- tunnel up/down state
- route-policy correctness
- packet counters for expected rule hits
- endpoint reachability and latency

### Step 4 - Operational Runbook

Document:
- what to verify after reboot
- what to verify after package upgrades
- how to rotate endpoints or credentials safely

## Output Format

```md
## Hardening and Verification

### Controls Applied
- ...

### Health Checks
- ...

### Runbook
- ...

### Rollback
- ...
```