Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Provide VPN interface for Snort to inspect

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 1 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yoink
      last edited by

      Thanks for the wonderful guide at the top of the sub forum. It helped me get started with Snort and was extremely helpful.

      Once question I can't seem to find an answer for is how to provide an interface, which represents the OpenVPN server on my pfSense box, for Snort to inspect.

      While I can see the WAN and LAN alerts, and often match the WAN alerts to a corresponding host on my LAN, for OpenVPN clients connecting through pfSense I only see the alerts generated on the WAN interface as the address pool being used for OpenVPN isn't part of the LAN address  pool or DHCP server, but rather provided by the OpenVPN server itself.

      1 Reply Last reply Reply Quote 0
      • Y
        yoink
        last edited by

        Thanks to a hint from a kind user on the IRC channel it was as simple as creating an interface (on the Interfaces menu), with the available port provided by the OpenVPN Server service, and assigning it the same IP address the OpenVPN Server has had self-assigned from the address pool listed in the settings.

        Subsequently the interface became available to add/inspect by snort and it was as simple as duplicating my LAN ruleset for it.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.