How to monitor VPN tunnel on pfSense and OpenVPN tun adapter?
2,073 views
Skip to first unread message
bad bit
Dec 11, 2015, 9:20:41 AM12/11/15
to securit...@googlegroups.com
We have a remote office that uses pfSense firewall/router and OpenVPN to allow remote workers to tunnel through the remote office's Internet connection. OpenVPN service is using the TUN adapter, so no ability for bridging. How can I monitor the OpenVPN subnet? I could separate the router and VPN service, but then I think I'm facing the same issue.
This office supports about 25 users and I thought switching to a TAP adapter, but I want to avoid the overhead of this option. I've not tested the bridging of TAP adapter but I think its supported.
Doug Burks
Dec 11, 2015, 11:05:46 AM12/11/15
to securit...@googlegroups.com
Hi bad bit,
Depending on your exact network architecture, there should be a point
where the firewall/VPN connects to a normal switch which the 25 users
are then connected to. You should be able to configure a span port on
that switch or insert a physical tap to collect traffic.
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Depending on your exact network architecture, there should be a point
where the firewall/VPN connects to a normal switch which the 25 users
are then connected to. You should be able to configure a span port on
that switch or insert a physical tap to collect traffic.
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
bad bit
Dec 11, 2015, 11:23:19 AM12/11/15
to securit...@googlegroups.com
Remote users connect to the pfSense router WAN interface's OpenVPN service port. Once connected the OpenVPN client redirects all traffic through the tunnel and pfSense routes out through the WAN adapter. So this redirected traffic never hits anything behind the router.
I just added daemonlogger package to the pfSense router and it looks like it is copying traffic from the pfSense's "ovpns1" adapter to a file. I opened this file in Wireshark and it looks like non-encrypted VPN tunnel traffic. Next step is to try to copy this traffic to a physical interface that I can connect to a SO sensor. This maybe the solution.
Reply all
Reply to author
Forward
0 new messages