After using OPNSense firwall for a while to tunnel my traffic throw VPN directly from the network infrastructure level, i’m really satisficed with the experience but while i’m monitoring the firewall traffic, i discovered a traffic leaking happen in some cases.

VPN traffic should go to the VPN Interface, but i find a traffic on the WAN Interface which originated from the LAN to VPN and the firewall pass it and that cause leak.

To prevent such leaking i configured the firewall rules to drop any VPN traffic that escapes to the WAN Interface by tagging the VPN traffic in the network and on the WAN i will check the traffic tag, if the traffic is VPN traffic the firewall will drop it to prevent the leak.

In this article i will explain the configuration to prevent such leak on OPNSense.

Technical Steps

• Goto the Firewall Rules section.

• Goto to the rule you created on the LAN Rules section which redirect LAN traffic to the VPN tunnel and press Edit.

• Goto to Advanced Options -> Set Local Tag and enter this value: NO_WAN_EGRESS

• Goto the Float Rules section and create an outbound rule on WAN to block any traffic has “NO_WAN_EGRESS” tag.

General Options      
      Action: Reject
      Quick: True
      Interface: WAN
      Direction: Out
      Description: Prevent VPN Leaking
      Log: True
      Source: Any
      Destination: Any
      Protocol: Any

Advanced Options
      Match local tag: NO_WAN_EGRESS

• After saving these rules [LAN & Floating], apply the settings to restart the firewall engine.
• Now check Firewall Live View to confirm.