Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How do I stop all network traffic that's not 100% needed or a OpenVPN?

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 3 Posters 508 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JohnSCarter
      last edited by

      Hello, title says it all really. I've set up OpenVPN and it says my IP is the VPN server however I want to be sure that nothing can leave my device that isn't through the OpenVPN connection or essential for network functionality?

      Network security & monitoring enthusiast

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        I'm not 100% sure since I've never done it, but you should be able to change the default gateway for your WAN to your OpenVPN client connection.  I don't know if the client automatically gets added to the list of gateways or if you have to manually add it.  Either go to Interfaces - WAN, or System - Routing - Gateways.

        1 Reply Last reply Reply Quote 0
        • J
          JohnSCarter
          last edited by

          Ok so there was nothing on WAN but now the default gateway is the OpenVPN connection, would this route everything through the openvpn interface?

          Also is there anyway that I could disable the WAN interface (or as much as I can possibly do)?

          The device traffic graph is the same for all interfaces, is this a problem?

          –--------------------
          On point 18 of this tutorial (https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-setup-pia-on-pfsense-2-4-2) it teaches you how to 100% route all traffic through the interfaces, I didn't set up my VPN like this but is it possible?

          Network security & monitoring enthusiast

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            would this route everything through the openvpn interface?

            I would think so but like I said, I've never done it before.  There are online VPN leak tests that you should check out just to verify that you appear to be coming from where you want.

            I could disable the WAN interface (or as much as I can possibly do)?

            I don't know for sure since that is the real interface that your VPN tunnel is using, but I don't think so.  Disable it via Interfaces - WAN and see what happens.  I suspect that your VPN connection will die.

            1 Reply Last reply Reply Quote 0
            • J
              JohnSCarter
              last edited by

              Sorry and hope I wasn't wasting your time but I found a fix.

              To anyone who's interested what I was referring to is called a VPN Kill switch, it disables all network traffic that's not going through the VPN to ensure 100% that all traffic is VPN'd. In my NAT rules I disabled everything except from this:
              interface OPT1 (my OpenVPN interface) * * * OPT1 Addresses (anything going through my VPN * *

              I'm under the impression that this would mean the only traffic allowed is my network -> one of the VPN addresses (please, please, please correct me if I'm wrong though).

              Thanks for your time, KOM.

              Network security & monitoring enthusiast

              1 Reply Last reply Reply Quote 0
              • J
                JohnSCarter
                last edited by

                @KOM:

                would this route everything through the openvpn interface?

                I would think so but like I said, I've never done it before.  There are online VPN leak tests that you should check out just to verify that you appear to be coming from where you want.

                I could disable the WAN interface (or as much as I can possibly do)?

                I don't know for sure since that is the real interface that your VPN tunnel is using, but I don't think so.  Disable it via Interfaces - WAN and see what happens.  I suspect that your VPN connection will die.

                Although do you happen to know the routing settings I would have to do to create a second OpenVPN connection and route the 1st one through the 2nd one before reaching the internet?

                Network security & monitoring enthusiast

                1 Reply Last reply Reply Quote 0
                • PippinP
                  Pippin
                  last edited by

                  @JohnSCarter:

                  To anyone who's interested what I was referring to is called a VPN Kill switch, it disables all network traffic that's not going through the VPN to ensure 100% that all traffic is VPN'd.

                  Not exactly.
                  A kill switch prevents traffic going out WAN if VPN is down.

                  What almost never comes up as a question is NTP, pfSense update servers and maybe more.
                  Can put it in an alias, etc…...
                  Do a tcpdump to see what is not leaving through the VPN.

                  I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                  Halton Arp

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    Although do you happen to know the routing settings I would have to do to create a second OpenVPN connection…

                    No, sorry.

                    1 Reply Last reply Reply Quote 0
                    • J
                      JohnSCarter
                      last edited by

                      @Pippin:

                      @JohnSCarter:

                      To anyone who's interested what I was referring to is called a VPN Kill switch, it disables all network traffic that's not going through the VPN to ensure 100% that all traffic is VPN'd.

                      Not exactly.
                      A kill switch prevents traffic going out WAN if VPN is down.

                      What almost never comes up as a question is NTP, pfSense update servers and maybe more.
                      Can put it in an alias, etc…...
                      Do a tcpdump to see what is not leaving through the VPN.

                      I can't find tcpdump within pfSense, is there a command or somthing?

                      Also do you happen to know how I would router one OpenVPN connection through another OpenVPN connection?

                      Network security & monitoring enthusiast

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.