That any other incoming packages, not related to SSH (which we included explicitly with v7.4) or to an established connection (initiated from the Pi), is blocked, is by design when using a killswitch. We discussed whether to allow more or even all inbound connections, when seeing the killswitch as a prevention for outbound connections accidentally bypassing the VPN, while leaving inbound connections a matter of port forwarding, firewall etc. But when checking other killswitch implementations, usually either all inbound connections are blocked, or only selected ones whitelisted, like we do with SSH.
I think there is no one solution that meets it all and we may add a selection instead, i.e. selecting ports from an
ss -tulpnlist and whether to whitelist it for LAN or even WAN (in cases where the VPN provider supports port forwarding).
For now you can use the
Edit Upoption to allow LMS connections after the VPN connection has been established. For this add the following line:
Code: Select all
iptables -A INPUT -p tcp --dport 9000 -j ACCEPT