How do I stop all network traffic that's not 100% needed or a OpenVPN?



  • Hello, title says it all really. I've set up OpenVPN and it says my IP is the VPN server however I want to be sure that nothing can leave my device that isn't through the OpenVPN connection or essential for network functionality?



  • I'm not 100% sure since I've never done it, but you should be able to change the default gateway for your WAN to your OpenVPN client connection.  I don't know if the client automatically gets added to the list of gateways or if you have to manually add it.  Either go to Interfaces - WAN, or System - Routing - Gateways.



  • Ok so there was nothing on WAN but now the default gateway is the OpenVPN connection, would this route everything through the openvpn interface?

    Also is there anyway that I could disable the WAN interface (or as much as I can possibly do)?

    The device traffic graph is the same for all interfaces, is this a problem?

    –--------------------
    On point 18 of this tutorial (https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-setup-pia-on-pfsense-2-4-2) it teaches you how to 100% route all traffic through the interfaces, I didn't set up my VPN like this but is it possible?



  • would this route everything through the openvpn interface?

    I would think so but like I said, I've never done it before.  There are online VPN leak tests that you should check out just to verify that you appear to be coming from where you want.

    I could disable the WAN interface (or as much as I can possibly do)?

    I don't know for sure since that is the real interface that your VPN tunnel is using, but I don't think so.  Disable it via Interfaces - WAN and see what happens.  I suspect that your VPN connection will die.



  • Sorry and hope I wasn't wasting your time but I found a fix.

    To anyone who's interested what I was referring to is called a VPN Kill switch, it disables all network traffic that's not going through the VPN to ensure 100% that all traffic is VPN'd. In my NAT rules I disabled everything except from this:
    interface OPT1 (my OpenVPN interface) * * * OPT1 Addresses (anything going through my VPN * *

    I'm under the impression that this would mean the only traffic allowed is my network -> one of the VPN addresses (please, please, please correct me if I'm wrong though).

    Thanks for your time, KOM.



  • @KOM:

    would this route everything through the openvpn interface?

    I would think so but like I said, I've never done it before.  There are online VPN leak tests that you should check out just to verify that you appear to be coming from where you want.

    I could disable the WAN interface (or as much as I can possibly do)?

    I don't know for sure since that is the real interface that your VPN tunnel is using, but I don't think so.  Disable it via Interfaces - WAN and see what happens.  I suspect that your VPN connection will die.

    Although do you happen to know the routing settings I would have to do to create a second OpenVPN connection and route the 1st one through the 2nd one before reaching the internet?



  • @JohnSCarter:

    To anyone who's interested what I was referring to is called a VPN Kill switch, it disables all network traffic that's not going through the VPN to ensure 100% that all traffic is VPN'd.

    Not exactly.
    A kill switch prevents traffic going out WAN if VPN is down.

    What almost never comes up as a question is NTP, pfSense update servers and maybe more.
    Can put it in an alias, etc…...
    Do a tcpdump to see what is not leaving through the VPN.



  • Although do you happen to know the routing settings I would have to do to create a second OpenVPN connection…

    No, sorry.



  • @Pippin:

    @JohnSCarter:

    To anyone who's interested what I was referring to is called a VPN Kill switch, it disables all network traffic that's not going through the VPN to ensure 100% that all traffic is VPN'd.

    Not exactly.
    A kill switch prevents traffic going out WAN if VPN is down.

    What almost never comes up as a question is NTP, pfSense update servers and maybe more.
    Can put it in an alias, etc…...
    Do a tcpdump to see what is not leaving through the VPN.

    I can't find tcpdump within pfSense, is there a command or somthing?

    Also do you happen to know how I would router one OpenVPN connection through another OpenVPN connection?