OPNSense Avoid VPN Traffic Leak

After using OPNSense firwall for a while to tunnel my traffic throw VPN directly from the network infrastructure level, i’m really satisficed with the experience but while i’m monitoring the firewall traffic, i discovered a traffic leaking happen in some cases.

VPN traffic should go to the VPN Interface, but i find a traffic on the WAN Interface which originated from the LAN to VPN and the firewall pass it and that cause leak.

To prevent such leaking i configured the firewall rules to drop any VPN traffic that escapes to the WAN Interface by tagging the VPN traffic in the network and on the WAN i will check the traffic tag, if the traffic is VPN traffic the firewall will drop it to prevent the leak.

In this article i will explain the configuration to prevent such leak on OPNSense.

Technical Steps

  • Goto to the rule you created on the LAN Rules section which redirect LAN traffic to the VPN tunnel and press Edit.
  • Goto the Float Rules section and create an outbound rule on WAN to block any traffic has “NO_WAN_EGRESS” tag.

General Options      
      Action: Reject
      Quick: True
      Interface: WAN
      Direction: Out
      Description: Prevent VPN Leaking
      Log: True
      Source: Any
      Destination: Any
      Protocol: Any

Advanced Options
      Match local tag: NO_WAN_EGRESS
  • After saving these rules [LAN & Floating], apply the settings to restart the firewall engine.
  • Now check Firewall Live View to confirm.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: