Jump to content
Not connected, Your IP: 3.145.109.144
Sj0rs

HOWTO: Prevent VPN Leakage with OPNsense

Recommended Posts

How to prevent VPN leakage with OPNsense

In this topic I want to share with you what i've learned regarding the prevention of VPN leakage using OPNsense.
This guide assumes you're familiar with OPNsense and you have already a working configuration.


What this howto is about

This howto results in the following;
1. DNS requests are forced to go to the Unbound Service on OPNsense and will be TLS encrypted to prevent your ISP logging your DNS traffic.
2. Traffic destined for your AIRVPN tunnel is tagged and any leakage on your normal WAN blocks that traffic.
3. Traffic destined to your WAN interface is kept local.
 

About my configuration

I run OPNSense as a firewall and NAT router. I have multiple VLANs for specific purposes (LAN, DMZ, IOT, Management, GUEST and dedicated VPN segments).
I run multiple OpenVPN instances to several countries, some are set up load balanced or failover with gateway groups.
Some of my VM's or containers reside in a VPN network and this is in my opinion the best way to ensure traffic is enforced through VPN.
This is one of the reasons i make heavily use of FLOATing rules to minimize the amount of rules needed (which cost CPU time).
Most LAN hosts are normally routed through WAN but specific ones i route through VPN by grouping them in aliases.
 

What is VPN leakage?

All AirVPN configurations are of a full tunnel type. This means that all traffic is supposed to be routed through that tunnel to the other side. But sometimes this is not the case for all types of traffic. For instance, most VPN clients support local traffic alongside the tunnel, or you have a custom VPN setup on your router to direct some, but not all traffic to your VPN tunnel.

VPN or firewall misconfigurations can lead to traffic leaking outside of the tunnel. Some examples are:

1. The tunnel is down on your router, your endpoint is unaware and all traffic is suddenly unencrypted
2. You have a running VPN tunnel but allow local DNS and all your DNS resolves are being sent in clear text outside the tunnel

Endpoint and application configuration (out of scope of this topic) can also leak information, be aware of the following;
3. Dual stack machines and IPv6 can leak information about your location. (use ipv4 and NAT exclusively)
4. Browser misconfigurations can also leak information of your whereabouts. (webrtc, locale settings)

 

Preventing DNS leakage with Port NAT and Unbound


Unbound configuration

Where i live ISPs are obligated to log traffic. To prevent this i have setup Unbound to use DNS-over-TLS (DoT) to make sure my resolves are encrypted.
I don't route my DNS through VPN as i need it to work when my VPNs are down.

These are the changes i made to the configuration to Unbound.

1. in Unbound DNS|General|Advanced Mode staat de "outgoing network interfaces" op WAN_PPOE

image.png.eacff7b3f46c2b16f85cafc3d24ccc8e.png

2. In Unbound|DNS over TLS i have configured several DoT forwarders
image.thumb.png.2bda7ff3cf46ffee7967eeeda5ee8e1e.png
 

An example for dns.adguard.com:
image.thumb.png.19eb8176e7b262e15a6b5449cd37312e.png

I do have configured quad9 and cloudflare but only for fallback as i don't trust them for privacy reasons.

 

 

Also, consider the following;
When you have configured your own local zone ie. myhouse.com set the "Local Zone Type" to "static" in the general settings of unbound.
I think the default is "transparent" which results in forwarding unknown hosts to outside DNS servers and you should not want that to happen.
 

PortNAT configuration


I have several hosts with docker containers which have hardcoded DNS configurations to google, cloudflare etc. I make sure they resolve to my unbound through portnat;

1. Create a network group alias "networkgroup_local". In here, you put all your local network segments like __lan_network and all __opt*_networks;

image.thumb.png.a9eccfe02e79d6441a474f4b06af69c6.png

2. Create a port NAT rule like this;
image.thumb.png.bf345c1e0cabbcdacc544574a687e550.png

This results in all traffic from several local network segments, destined to any host NOT local (see destination/invert) to port 53 being rerouted to my LAN interface.
I have "Firewall Rule Assocation" turned off as i like to have full control over my own firewall rules.

3. Create a floating rule like this;

image.thumb.png.3a646ecc8cd420a7bb258052ed01a6bc.png

This portNAT and rule combination results in the following;
1. All traffic with destination other than local segments to port 53 will be portNATted to my LAN interface where Unbound is servicing DNS.
2. one floating rule allows traffic to port 53 flow from their respective VLANS to my LAN interface to port 53.

I also block DOH as again, several docker containers are hard-coded to external DNS-over-HTTPS servers. To prevent this from happening i subscribe to a blocklist and block traffic.
This is just me being paranoid and outside the scope of this topic ;-)
You can make use of external lists by creating an alias which you can use in firewall rules like this;
image.thumb.png.fea228798f6bffd8fd9c50e2644857d1.png

The list i use is: https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt
Use this alias to create an interface or floating rule that blocks traffic destined to the alias on port 443.
 

Preventing traffic leakage with tagging

OPNsense has a feature where you can tag traffic and pass or block traffic based on these tags. With this we can block traffic on the WAN interface that should've been routed through the VPN tunnel.

 

Tagging of Outbound NAT traffic

Outbound NAT rules for your tunnel traffic MUST be above any NAT rules for normal WAN!
Find your AIRVPN outbound NAT rule and make the following adjustment;
image.thumb.png.5a13b5c03b7fa347f474a273b20143de.png

 

 

This example will NAT any traffic to my WAN_AIRVPN1 interface coming from my VPN VLAN destined to any host not local and tags it with "NO_VPN_LEAK"

Next, change the matching outbound firewall rule;
image.thumb.png.b6ec3516f4c87a9583ac82822821fc47.png

This rule, added to my VPN VLAN routes all traffic through VPN (with the gateway setting) and tags it with "NO_VPN_LEAK"
 

Block tagged traffic on the WAN interface

Next, we block outbound traffic tagged with "NO_VPN_LEAK" on the WAN interface.
Create a FLOATING rule. Make sure this is high up the list:
image.thumb.png.23aeeaf68ea857ddb41b920232ae6522.png

This rule is active on the normal WAN interface and screens outbound traffic matching "NO_VPN_LEAK tags and blocks it.


Prevent WAN Callback leakage

WAN Callback leakage can assist ISP's or three letter agencies in detecting which outbound VPN IP address you're using when you access your own services you may have active on your WAN interface. I have several web services running on OPNsense behind HAProxy. Traffic from hosts behind VPN should route locally.
For this i have created an outbound NAT like this; (make sure this is the TOP NAT rule)
image.thumb.png.44ffaf6972a0519d22c385a4bd915c1e.png

Add a FLOATing firewalle rule to match this traffic;
image.thumb.png.7150517b1849fb7c59c59811460016f1.png

Also, make sure this rule is somewhere at the top of your FLOATing rule list.
I like to make use of floating rules as i can match traffic from several interfaces with one rule but it can also be an interface rule if you have only one LAN interface.










 

image.png

image.png

Share this post


Link to post

A wild guide appeared. Break out the good stuff! Let's let the community test and refine it a bit.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

everyone has found what has worked for them.

I've used Pfsense for 5 years, now opnsense for 3 years

I created alias's by IP ranges of those I want to go over a tunnel.    then Kea reservations by Mac address.   on the subnets tab > DNS servers is 10.128.0.1 for wireguard or 10.4.0.1 for openvpn.  
then firewall rules by alias name to a specific gateway tunnel for airvpn.

all tunnels work no leaking because its using the airvpn gateway servers for the connections 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...