Some traffic is escaping from vpn!

moxi

Hi,
I saw all the previous posts about this. Main suggested solution is policy filtering. I tried it and I even played more further the rules. I still see a difference between the WAN bytes Out/In and VPN bytes Out/In in the Interface Statistics and the graphs.
Is there a solution to this?

(Please note that I rebooted the router already. No need to suggest this)
Thanks

Cool_Corona

Can you see where its going??

chpalmer

A certain amount of traffic will hit your WAN that will be counted.. Unbound will use the WAN interface I believe.

If your clients on LAN are using the firewall as their DNS server then the traffic from LAN to what I assume is your VPN interface will be a tad different.. as it seems it is on your graph.

Pippin

IIRC all traffic from the firewall itself will go out WAN.
Check for updates, NTP, Unbound, etc.

moxi

@Cool_Corona hi, what do you suggest me to use for this? Thanks!

moxi

@chpalmer hi, it is the case. Clients are using this gateway as their primary dns server. But the traffic delta is enormous for just dns usage: currently wan used 750 mb out, vpn only 375mb out. Thanks!

moxi

@Pippin everything is up to date and looks running well.

jimp

Even in a perfect setup with the default gateway on the VPN, the WAN usage would always be higher due to a couple factors:

• The WAN gateway monitoring traffic (if enabled) will still go straight out WAN since it has a static route out that way
• The VPN control channel traffic (establishing the tunnel, key management, keep alive, internal pings, etc) still goes over WAN, and it is not tunneled data so it does not count against the VPN interface
• VPN encapsulation and padding means that packets which carry VPN traffic must always be larger than the packets being carried across the VPN. At least enough for an extra set of headers, plus the data is encrypted so it will be larger than the original data. (Compression gets tricky here but nobody should be using VPN data compression since it's insecure)

So unless you know for sure that a specific packet/connection/whatever is bypassing the VPN, it's probably normal.

moxi

@jimp

• The WAN gateway monitoring traffic (if enabled). How to Disable it?
• VPN encapsulation and padding means... How to make sure the carriers are larger the carried packets? and How to disable compression?
• The VPN control channel traffic... I guess can't do nothing about this one?

Thanks!!

jimp

@moxi said in Some traffic is escaping from vpn!:

@jimp

• The WAN gateway monitoring traffic (if enabled). How to Disable it?

System > Routing, edit the gateway, check Disable Gateway Monitoring

• VPN encapsulation and padding means... How to make sure the carriers are larger the carried packets? and How to disable compression?

Edit the VPN, set either "Disable compression, retain compression packet framing" or "Omit Preference".

• The VPN control channel traffic... I guess can't do nothing about this one?

No, and you shouldn't care about it either -- any tunneled protocol will have overhead like that, and any encrypted traffic will have it as well. It's not "leaking" anything, it's just a natural part of the process.

moxi

@jimp the traffic going through the lan is almost the double of the one going through the vpm, aftercrunning for days. Seriously, if a moderator answers me that I should not care, I would start thinking that this whole game of privacy protection is not 100% legit. Specially after experiencing the new pfblockerng (maxmind) which is doing everything to get our daya and which impossible to remove unless we format the drive...

jimp

I said you shouldn't care about VPN overhead specifically -- control traffic, encryption overhead, internal monitoring.

If you suspect traffic is not going the way you want, then run packet captures and check. Odds are it's not what you think it is, but that's the good thing about running something like pfSense: You can look for yourself.

moxi

This post is deleted!

Gertjan

@moxi said in Some traffic is escaping from vpn!:

but why the firewall rule of: ( block any out on wan) never works?

Can you show that rule (an image ;) )?
Where did you put that rule ?

A final solution will be : use the VPN client on the device where you use the VPN. That is, if that device isn't a TV set or something like that.

@moxi said in Some traffic is escaping from vpn!:

I would start thinking that this whole game of privacy protection is not 100% legit

You start to understand. There is hope for you.
You really believed the VPN publicity ??