Openvpn blues



  • Still trying to get StrongVPN to work. The tunnel is up, some things are working perfectly, others aren't. I would like to understand exactly what I am doing, rather than just following a cookbook.

    • Firewall rules now encompass LAN, WAN, OpenVPN and StrongVpnMiami. I do not understand the point of having rules for both OpenVPN and StrongVpnMiami. I suspect that OpenVPN "proxies" packets to StrongVpnMiami, which then sends them off into the ether, is that right? If so, which rules should apply to which of the two interfaces?

    • I have idiosyncratic behavior on the DNS. If I force the entire LAN to go through StrongVpnMiami gateway, the DNS servers are all in the USA, which is the desired behavior. If I however select only specific sources to use the StrongVpnMiami gateway, I detect a DNS leak with local servers jumping in. How can I prevent that?

    ![Screenshot 2018-05-11 21.49.50.png](/public/imported_attachments/1/Screenshot 2018-05-11 21.49.50.png)
    ![Screenshot 2018-05-11 21.49.50.png_thumb](/public/imported_attachments/1/Screenshot 2018-05-11 21.49.50.png_thumb)


  • Netgate Administrator

    The OpenVPN tab encompasses all OpenVPN traffic. So any rules there are applied to all OpenVPN connections.

    The tabs for assigned OpenVPN interfaces (StrongVpnMiami here) have rules only for that connection.

    So if you want to allow traffic in on only one VPN interface you should put rules there and only there. The main OpenVPN tab is parsed first so if you have an allow all rule there rules on the individual connections are not ever hit.

    That becomes important if you have site-to-site tunnels with incoming traffic. When traffic comes in via a particular connection you need it to hit a rule on the specific tab so it get a 'reply-to' tag on the firewall state allowing the reply traffic to go back via the correct connection.

    With a VPN connection to a public server like StrongVPN you normally don't want connections coming in over the VPN at all so don't need rules there.

    The firewall rules in your screenshot above on LAN have some issues. Nothing can ever hit the bottom two rules because all traffic from the LAN subnet will be caught by the 4th rule and sent via WAN_DHCP. No traffic that isn't from the LAN subnet should come in via the LAN (unless you have routed subnets).

    Steve