PIAVPN goes down? Stop VPN Client data from getting to the Internet completely!
-
A special thanks goes out to everyone in here: https://forum.pfsense.org/index.php?topic=76015.msg414556#msg414556
This is where I found all the information I needed to get my PIAVPN up and running.
The ONLY trouble I had was that when my PIAVPN would go down my VPN Clients would have unencrypted traffic getting to the Internet –- well, I found that undesirable.
I -finally- figured out what's required to fix this little vexing issue.
1. System->Advanced->Miscellaneous page ... "Skip rules when gateway is down" ----> ENABLE this!
2. Firewall->Rules->LAN {please see my attachment for details}
I disabled the original "Default allow LAN to any rule". Just above this disabled item I inserted the three rules you need to make it all bliss!
"VPN Clients" in blue is a firewall alias containing IP's of my VPN client machines.
Make sure you select "Reject" in the "Reject VPN Clients" rule. A clue? The Yellow hand on the left.
Once set up you should no longer have ANY VPN Client unencrypted traffic getting to the Internet, no matter what state your PIAVPN is in!
-
Hi, as far as I know the first point ("Skip rules when gateway is down") is enough to avoid the devices that must use the VPN could go out trough the default gateway if the VPN connection drops.
It works for me.
I could be wrong, but if you want to enforce this method adding a reject rule in Firewall>Rules>LAN, I think you should put in it the default gateway, not the VPN gateway, as in System>Routing>Gateways.
-
Leaving all my rules in place I tested my reject rule with the Gateway being * or the VPN or the WAN and the rule did exactly the same thing in all cases. It seems the rule evaluates the IP's and rejects the traffic regardless of Gateway setting.
Thanks for pointing this out to me.
-
Just for my curiosity, have you done these tests with the option "Skip rules When gateway is down" on or off?
If I understood the logic of the rules, I suppose that the reject rule does exactly the same thing in all cases when that option is on. -
This is the best way I know of:
https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN
-
I agree with Derelict, I'm using that method right now and it works like a charm.
-
"Skip rules When gateway is down" is now off and will stay off!!!
I like tagging the packets destined for the vpn in the lan rules … then the floating rule matches the tag and rejects packets so they can't get to the Internet.
In practice this method seems to be much faster at rejecting packets.Any, guys, thanks very much for the information ... much appreciated.