OPNSense Avoid VPN Traffic Leak

After using OPNSense firwall for a while to tunnel my traffic throw VPN directly from the network infrastructure level, i’m really satisficed with the experience but while i’m monitoring the firewall traffic, i discovered a traffic leaking happen in some cases.
VPN traffic should go to the VPN Interface, but i find a traffic on the WAN Interface which originated from the LAN to VPN and the firewall pass it and that cause leak.
To prevent such leaking i configured the firewall rules to drop any VPN traffic that escapes to the WAN Interface by tagging the VPN traffic in the network and on the WAN i will check the traffic tag, if the traffic is VPN traffic the firewall will drop it to prevent the leak.
In this article i will explain the configuration to prevent such leak on OPNSense.
Technical Steps
- Goto the Firewall Rules section.

- Goto to the rule you created on the LAN Rules section which redirect LAN traffic to the VPN tunnel and press Edit.

- Goto to Advanced Options -> Set Local Tag and enter this value: NO_WAN_EGRESS

- Goto the Float Rules section and create an outbound rule on WAN to block any traffic has “NO_WAN_EGRESS” tag.

General Options
Action: Reject
Quick: True
Interface: WAN
Direction: Out
Description: Prevent VPN Leaking
Log: True
Source: Any
Destination: Any
Protocol: Any
Advanced Options
Match local tag: NO_WAN_EGRESS
- After saving these rules [LAN & Floating], apply the settings to restart the firewall engine.
- Now check Firewall Live View to confirm.
Loved reading thiss thanks
LikeLike