OPNSense Avoid VPN Traffic Leak
After using OPNSense firwall for a while to tunnel my traffic throw VPN directly from the network infrastructure level, i’m really satisficed with the experience but while i’m monitoring the firewall traffic, i discovered a traffic leaking happen in some cases.
VPN traffic should go to the VPN Interface, but i find a traffic on the WAN Interface which originated from the LAN to VPN and the firewall pass it and that cause leak.
To prevent such leaking i configured the firewall rules to drop any VPN traffic that escapes to the WAN Interface by tagging the VPN traffic in the network and on the WAN i will check the traffic tag, if the traffic is VPN traffic the firewall will drop it to prevent the leak.
In this article i will explain the configuration to prevent such leak on OPNSense.
- Goto the Firewall Rules section.
- Goto to the rule you created on the LAN Rules section which redirect LAN traffic to the VPN tunnel and press Edit.
- Goto to Advanced Options -> Set Local Tag and enter this value: NO_WAN_EGRESS
- Goto the Float Rules section and create an outbound rule on WAN to block any traffic has “NO_WAN_EGRESS” tag.
General Options Action: Reject Quick: True Interface: WAN Direction: Out Description: Prevent VPN Leaking Log: True Source: Any Destination: Any Protocol: Any Advanced Options Match local tag: NO_WAN_EGRESS
- After saving these rules [LAN & Floating], apply the settings to restart the firewall engine.
- Now check Firewall Live View to confirm.