VPN Gateway Firewall Rules

I have a question about using a VPN as a gateway and how the rules apply. I actually used LTS’s video from ~4 years ago to set this up about a year ago, but seeing as Tom just created a new video I figured I would revisit my config and set it up again for good practice.

I have it working perfectly (actually used wireguard instead this time, because again, just tinkering in a homelab), but I have a question about “what if I really do not trust the other end of the VPN”? I have a gateway set up with a rule on the subnet of the devices I want to route over the VPN, kill switch in place, all works great. But is there a way to guarantee nothing sourced from the other end of the VPN has a way through the firewall?

If I understand it correctly, seeing as I did not add a rule to the firewall rules for the VPNGateway Interface, nothing should be able to flow through that interface… but obviously the things I am tagging to send through it on my homelab subnet will route out through it. But does this still mean that nothing originating on that VPN subnet would be able to pass through the firewall? I think I am a little miffed as to how the rules on different subnets relate to eachother. On one hand, I have no rule on the VPNGateway interface which would mean a default do not pass any traffic, but I also have a RouteThroughVPN rule on a subnet to route things out the VPNGateway.

I am not sure my question is stated quite right or uses the correct verbiage, but hopefully its enough to make sense.

Things can not come back down the gateway from the VPN provider unless a system requested them.

1 Like