Snort and OpenVPN



  • I have setup Snort per some of the instructions here on the forums (thanks for all the help). I have it working reasonably well in alert only mode and will switch it to block mode at some point in the future.

    I have quite a few rules running on my LAN interface, with only a couple rules running on the WAN interface.

    I have OpenVPN setup on my pfSense which uses a separate subnet than my LAN. That subnet is in the default $HOME_NET for Snort, but I'm wondering which interface's rules will apply to my OpenVPN clients?

    If I have a remote client connect via OpenVPN and then browse the web, does that traffic ever hit the LAN interface? Or will only the WAN rules run on that traffic?

    EDIT: Looking at my OpenVPN settings I have it listening on my WAN interface, so I think that answers my question. Now I need to look into switching it to the LAN interface.



  • Snort can see and inspect traffic that traverses the interface it is running on.  So if your VPN traffic comes into hosts on your LAN, Snort would see it.  If VPN traffic came in and went straight back out your WAN, then Snort on the LAN would not see it (but Snort on the WAN would).

    Bill



  • Hi,

    I have a similar setup. I have one LAN and one WAN and the OpenVPN Server running.
    I use my mobile devices to redirect all traffic through the VPN and then browse the web using my internet connection.

    And I can confirm that snort cannot listen on the OpenVPN interface and snort cannot see something on LAN. But snort analyzes the traffic from OpenVPN to the web on the WAN interface.

    PS:
    It seems to be independent if the OpenVPN server is listening to the LAN or the WAN interface.


Log in to reply