Search the Community

How to prevent VPN leakage with OPNsense In this topic I want to share with you what i've learned regarding the prevention of VPN leakage using OPNsense. This guide assumes you're familiar with OPNsense and you have already a working configuration. What this howto is about This howto results in the following; 1. DNS requests are forced to go to the Unbound Service on OPNsense and will be TLS encrypted to prevent your ISP logging your DNS traffic. 2. Traffic destined for your AIRVPN tunnel is tagged and any leakage on your normal WAN blocks that traffic. 3. Traffic destined to your WAN interface is kept local. About my configuration I run OPNSense as a firewall and NAT router. I have multiple VLANs for specific purposes (LAN, DMZ, IOT, Management, GUEST and dedicated VPN segments). I run multiple OpenVPN instances to several countries, some are set up load balanced or failover with gateway groups. Some of my VM's or containers reside in a VPN network and this is in my opinion the best way to ensure traffic is enforced through VPN. This is one of the reasons i make heavily use of FLOATing rules to minimize the amount of rules needed (which cost CPU time). Most LAN hosts are normally routed through WAN but specific ones i route through VPN by grouping them in aliases. What is VPN leakage? All AirVPN configurations are of a full tunnel type. This means that all traffic is supposed to be routed through that tunnel to the other side. But sometimes this is not the case for all types of traffic. For instance, most VPN clients support local traffic alongside the tunnel, or you have a custom VPN setup on your router to direct some, but not all traffic to your VPN tunnel. VPN or firewall misconfigurations can lead to traffic leaking outside of the tunnel. Some examples are: 1. The tunnel is down on your router, your endpoint is unaware and all traffic is suddenly unencrypted 2. You have a running VPN tunnel but allow local DNS and all your DNS resolves are being sent in clear text outside the tunnel Endpoint and application configuration (out of scope of this topic) can also leak information, be aware of the following; 3. Dual stack machines and IPv6 can leak information about your location. (use ipv4 and NAT exclusively) 4. Browser misconfigurations can also leak information of your whereabouts. (webrtc, locale settings) Preventing DNS leakage with Port NAT and Unbound Unbound configuration Where i live ISPs are obligated to log traffic. To prevent this i have setup Unbound to use DNS-over-TLS (DoT) to make sure my resolves are encrypted. I don't route my DNS through VPN as i need it to work when my VPNs are down. These are the changes i made to the configuration to Unbound. 1. in Unbound DNS|General|Advanced Mode staat de "outgoing network interfaces" op WAN_PPOE 2. In Unbound|DNS over TLS i have configured several DoT forwarders An example for dns.adguard.com: I do have configured quad9 and cloudflare but only for fallback as i don't trust them for privacy reasons. Also, consider the following; When you have configured your own local zone ie. myhouse.com set the "Local Zone Type" to "static" in the general settings of unbound. I think the default is "transparent" which results in forwarding unknown hosts to outside DNS servers and you should not want that to happen. PortNAT configuration I have several hosts with docker containers which have hardcoded DNS configurations to google, cloudflare etc. I make sure they resolve to my unbound through portnat; 1. Create a network group alias "networkgroup_local". In here, you put all your local network segments like __lan_network and all __opt*_networks; 2. Create a port NAT rule like this; This results in all traffic from several local network segments, destined to any host NOT local (see destination/invert) to port 53 being rerouted to my LAN interface. I have "Firewall Rule Assocation" turned off as i like to have full control over my own firewall rules. 3. Create a floating rule like this; This portNAT and rule combination results in the following; 1. All traffic with destination other than local segments to port 53 will be portNATted to my LAN interface where Unbound is servicing DNS. 2. one floating rule allows traffic to port 53 flow from their respective VLANS to my LAN interface to port 53. I also block DOH as again, several docker containers are hard-coded to external DNS-over-HTTPS servers. To prevent this from happening i subscribe to a blocklist and block traffic. This is just me being paranoid and outside the scope of this topic ;-) You can make use of external lists by creating an alias which you can use in firewall rules like this; The list i use is: https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt Use this alias to create an interface or floating rule that blocks traffic destined to the alias on port 443. Preventing traffic leakage with tagging OPNsense has a feature where you can tag traffic and pass or block traffic based on these tags. With this we can block traffic on the WAN interface that should've been routed through the VPN tunnel. Tagging of Outbound NAT traffic Outbound NAT rules for your tunnel traffic MUST be above any NAT rules for normal WAN! Find your AIRVPN outbound NAT rule and make the following adjustment; This example will NAT any traffic to my WAN_AIRVPN1 interface coming from my VPN VLAN destined to any host not local and tags it with "NO_VPN_LEAK" Next, change the matching outbound firewall rule; This rule, added to my VPN VLAN routes all traffic through VPN (with the gateway setting) and tags it with "NO_VPN_LEAK" Block tagged traffic on the WAN interface Next, we block outbound traffic tagged with "NO_VPN_LEAK" on the WAN interface. Create a FLOATING rule. Make sure this is high up the list: This rule is active on the normal WAN interface and screens outbound traffic matching "NO_VPN_LEAK tags and blocks it. Prevent WAN Callback leakage WAN Callback leakage can assist ISP's or three letter agencies in detecting which outbound VPN IP address you're using when you access your own services you may have active on your WAN interface. I have several web services running on OPNsense behind HAProxy. Traffic from hosts behind VPN should route locally. For this i have created an outbound NAT like this; (make sure this is the TOP NAT rule) Add a FLOATing firewalle rule to match this traffic; Also, make sure this rule is somewhere at the top of your FLOATing rule list. I like to make use of floating rules as i can match traffic from several interfaces with one rule but it can also be an interface rule if you have only one LAN interface.

Web Browser FAVICON "SuperCookies" can TRACK people with UNIQUE IDs and BYPASS VPN protections https://it.slashdot.org/story/21/02/09/1920256/browser-favicons-can-be-used-as-undeletable-supercookies-to-track-you-online i do not think AirVPN does currently has a web browser add-on or plugin. And I do not know of any others that offer protection against this "new" TECH of FavIcon supercookies which use a UNIQUE ID to track people browsing on the web. So now what do we do?

Hello All, When connected i tried couple of 2 DNS Leak Test (https://anonymster.com/dns-leak-test/ and https://ipleak.net/) Both are giving me the same results (Google IP is showing). I am wondering is this something normal i was thinking i shall see there AirVPN name instead of Google One ? Thanks for your advice

On the result page of on https://ipleak.net there is a referens to "AirVPN Exit Node". What is an "AirVPN Exit Node"? Why does ipleak.net check for "AirVPN Exit Node", is it a security/privacy issue in some way? Who becomes an "AirVPN Exit Node"? And under which circumstances could/will this happen? What is the result/impact/downside of being an "AirVPN Exit Node"? Will it limit functionality/access or anything else that would be available otherwise? If being an "AirVPN Exit Node" is a "bad" thing, can it then be avoided? is there any documentation available on "AirVPN Exit Node"?