3/17/2023 0 Comments Private internet access downI made some tests and if the OpenVPN is active I don't see any traffic hitting the main firewall. I then edited my Firewall LAN Rules that all traffic from LAN has to go via the OpenVPN-Gateway and put one last rule (yellow mark) to block all traffic (if the openvpngateway is unavailable), which I think is not needed because the firewall should block everything which is not allowed. I added the network port ovpnc1 so it available as OPT1-Interface: I think I need to assign the OpenVPN to a new interface, under Interface > Interface Assignments: There I have a setting, where I can set a gateway:īut I am unable to choose the OpenVPN as gateway: If I edit a rule I have found the "Display Advanced" button under the "Extra Options". Thanks, now I understand, you are speaking about the gateway settings in my Firewall > Rules > LAN. The firewall rules are the one who decide which gateway to use. Your firewall rules (as I look at them in the pic above) are not sending any traffic to the VPN gateway. In your example the traffic will never hit Rule 2 cause a match would always be found in Rule 1 or Rule 1.5(when Rule 1 is skipped) Rule 3 = Rule 2 with block (this will kill the traffic when the GW is down) Rule 2 = send everything else to VPN GW (this will be true when the VPN GW is up) Rule 1 = allow / send 'DNS/OpenVPN' LAN traffic to the WAN Gateway (this will always be true) You "make" the traffic leave the VPN GW instead of the WAN GW in the firewall rules. They merely dictate what happens to the traffic when it is "made" to leave the VPN interface. Having a NAT rule that shows your subnet ntatted to the VPN GW does not equal to traffic being sent to the VPN GW. "You are talking about the Outbound NAT rules, am I right?" > I mean the firewall rules. Rule 2 = Allow specific traffic to WAN Gateway Rule 1.5 = block all traffic from LAN (this will stop "leakage" of LAN traffic over WAN, when the VPN is down. Rule 1 = allow / send all LAN traffic to the VPN Gateway Rule 2 is still in place for the normal LAN traffic to go out though the said in how to setup Leakproof VPN (Private Internet Access): So when the VPN GW is down, Rule 1 is ignored and rule 1.5 will kill the traffic. You also need to have a rule 1.5 that is the same as Rule 1 but denies the traffic. If you want the traffic to be blocked then you need to check this box so that Rule 1 is ignored. This is decided by System>Advanced>Misc>Skip rules when gateway is down (Read the description there).īy default when the VPN GW is down, the Rule 1 is still processed but the part where you set the gateway (to the VPN) is omitted. When you bring the gateway down, the traffic still goes through but now through the WAN gateway. Now under normal circumstances your interesting traffic matches Rule 1 and goes out through the gateway. Below this you need a LAN catch all rule to catch the remaining traffic and allow or deny it (say Rule 2) and this traffic is the one you want to go over the normal WAN GW. For the firewall rules you need to have a LAN rule that matches the interesting traffic (that you want to go over the tunnel) and will set the gateway to the OpenVPN interface (Rule 1). The "made" part happens in the firewall rules. They merely dictate what happens to the traffic when it is "made" to leave an interface. Remember that NAT rules do not change the traffic behaviour. Good going PIA.The OpenVPN and the NAT config look ok to me. This is a great example that proves that Private Internet Access is committed to the privacy of its users. In addition to removing its South Korea exit nodes, it also rotated its certificates as an additional security control. Upon learning this information, we decided to remove and wipe the South Korea region from our network immediately.”Įven if the South Korean authorities did clone the data, Private Internet Access (PIA) does not log any traffic or session data. “On the 21st January 2018 at 6.15pm Pacific Time, Private Internet Access was alerted by close contacts in South Korea that law enforcement would be seeking to mirror our servers tomorrow, 24th of January 2018, at 10:00 A.M without due process. Private Internet Access (PIA) didn't know why they would take these types of actions against it but took immediate action as soon as it learned about this possibility. It learned through a "close contact" that South Korea law enforcement intended to clone its local data. We learned that Private Internet Access (PIA) has shut down its Korea exit nodes due to concerns about the privacy of its users.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |