Stupid question: does pfSense filter the VPN tunnel?

  • Scenario: I'm using a VPN provider from a Windows 7 machine connected to my home LAN.

    How does pfSense inspect this VPN traffic?

    I'm asking because - if I understand VPN principles correctly - my "side" of the OpenVPN tunnel should end directly into my Windows machine.


  • LAYER 8 Netgate

    The usual behavior would be that your router (pfSense) will only see the connection to your VPN provider.  Traffic in the tunnel will be encrypted and unavailable to pfSense for filtering.  The only choice pfSense has is whether or not to allow, say, UDP 1194 (OpenVPN) to enter the LAN port and how to forward it on its way.

    From your description it's kind of hard to tell exactly where pfSense is in the topology.

  • You could have PFSENSE connect via VPN instead of the windows machine.  Then the traffic could be filtered.

    Otherwise, I hope you trust your VPN provider (-;

  • LAYER 8 Netgate

    He might be asking the opposite.  When I OpenVPN into my home network from behind certain pfSenses/ASAs I don't want them to be able to inspect/filter my traffic.

  • And there is that - Lets see what he is actually asking then…

  • I'm asking if I'm protected by the firewall rules when I use my VPN provider from a machine inside my LAN.

    Port 1194 doesn't matter (as someone mentioned it), because pfSense's OpenVPN server isn't involved in this kind of connection (in fact it isn't neither configured nor started).

  • Nope - Your VPN will cut through your pfsense like a hot knife through butter.  Once you are using a machine inside the LAN running vpn client, the vpn server and any other clients connected to that server and anyone with access to the server or one of the clients or anyone who has hacked into the server or any of the clients on that server potentially have access to your LAN freely.

    So, like I said before, hope you trust your VPN server.

Log in to reply