Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Kill Switch

    Scheduled Pinned Locked Moved OpenVPN
    21 Posts 13 Posters 18.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      YoMan
      last edited by

      Ok so I have changed the VPN address to the IP address instead of the name.  It appears to allow connection now with the firewall rules in place.  Is there any disadvantage to using the actual IP rather then the name?  I used the DNS reverse lookup to find it and it appears there are 4 seperate IPs can all link to the same address. I just picked one.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        If they change IPs it will break.  I'd pass DNS correctly.  It could break all kinds of things eventually like downloading bogon table updates, upgrades, etc.  Your firewall should be able to resolve DNS.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • H
          heper
          last edited by

          @Derelict:

          If they change IPs it will break.  I'd pass DNS correctly.  It could break all kinds of things eventually like downloading bogon table updates, upgrades, etc.  Your firewall should be able to resolve DNS.

          exactly copy your openvpn rule and adjust it to work for DNS. pfsense webgui can/will go nuts without DNS :))

          1 Reply Last reply Reply Quote 0
          • S
            stewie2016
            last edited by

            Will this configuration pass DNS outside of the VPN only for resolving the VPN host address when connecting to VPN (or when automatically re-connecting to VPN after an unplanned disconnection), and otherwise pass all other DNS through the VPN?

            1 Reply Last reply Reply Quote 0
            • O
              OyyoDams
              last edited by

              Hi,

              I don't like the floating rules trick because when the VPN goes down, it cannot reconnect anymore, blocked by the rule. But there is a workaround. Take a look at this post

              Go to Advanced and then Miscellaneous and down in Gateway Monitoring you'll see "Skip rules when gateway is down" which on my fresh 2.1 install is off by default. It has the following description.

              "By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down"

              So basically when the VPN Gateway is down it puts the rule in but with the default gateway ruining the whole point.

              This works for me :)

              1 Reply Last reply Reply Quote 0
              • J
                jameshouston135 Banned
                last edited by

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • F
                  Fabio72
                  last edited by

                  https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

                  1 Reply Last reply Reply Quote 0
                  • P
                    Pollerd Banned
                    last edited by Pollerd

                    This post is deleted!
                    1 Reply Last reply Reply Quote 0
                    • manjulaagarwal1955M
                      manjulaagarwal1955 Banned
                      last edited by

                      This post is deleted!
                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Locked this, it was just a spam magnet.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.