Running Opnsense w/Wireguard VPN. Everything working spectacularly except PING. All my network traffic is routed through the VPN and I have a rule to allow ICMP. The rule looks like this:
IPv4 ICMP LAN net * * * VPN_GATEWAY *
If I change the gateway to the WAN it pings. If I leave it on the VPN gateway it does not.
Must be something simple here.....
Maybe it's because you're trying to force traffic over a "far" (i. e. unreachable?) gateway rather than allowing it to be routed according to the routing table.
It doesn't work without the rule either though....
I thought it works when not specifying a gateway. Where do you have the rule?
If I change my gateway to WAN under the rule it works, if I use default or the VPN gateway no ICMP.
I have the rule under LAN.
Hmm, that's weird. What happens to the pings when you use the default gateway? Did you check the firewall log or a packet capture?
If your VPN is hosted by some server outside your network and VPN connection works just fine (meaning you can access internet and everything you need), then it means VPN host is blocking ICMP traffic either because it's hosted on router or server behind a router which has enabled DoS attack protection or simply firewall which server is protected by blocks ICMP traffic.
Such a VPN provider would need to fix their configuration so that pinging is possible ...
Quote from: defaultuserfoo on June 12, 2022, 08:52:55 PM
Such a VPN provider would need to fix their configuration so that pinging is possible ...
Not really. Blocking pings is just a form of protection you can use. Just because you can't ping something doesn't mean connections won't work, it just means you can't find clients and hosts just by sending ICMP traffic over the network.
Thank all for trying to answer this. Yes, the first thing I thought was that they were blocking ICMP by default, but in trying to troubleshoot the problem I decided to use their app to connect to servers within the same relative region. Ping works over the app.
It's a weird one for sure.
Quote from: Zoik! on June 13, 2022, 06:08:56 AM
Thank all for trying to answer this. Yes, the first thing I thought was that they were blocking ICMP by default, but in trying to troubleshoot the problem I decided to use their app to connect to servers within the same relative region. Ping works over the app.
It's a weird one for sure.
So yes, they are blocking ICMP.
If you need to use app to Ping VPN gateway, it means they are blocking ICMP traffic. App will connect your computer to internal network of VPN server, which is why ping works.
You can think it this way: How smart would it be to allow people find out if your server, which must have certain ports open to public is up and running without knowing exactly what it's IP is and which ports must be open?
If someone knows your companies DNS server hosted on AWS route 53 is up and runing and has open port, they can spam to it, which might at least cause quite a bit of expense (53$ per 1 million queries per month to be exact). Imagine waking up one morning and seeing that there were up to 30 billion queries going to your server last night xD
Quote from: Vilhonator on June 12, 2022, 09:00:33 PM
Quote from: defaultuserfoo on June 12, 2022, 08:52:55 PM
Such a VPN provider would need to fix their configuration so that pinging is possible ...
Not really. Blocking pings is just a form of protection you can use. Just because you can't ping something doesn't mean connections won't work, it just means you can't find clients and hosts just by sending ICMP traffic over the network.
Ping is at least required for diagnostics, so if they are blocking it, it's a misconfiguration, especially when they don't give you an option to unblock it. What's the point of having a connection that is blocked anyway.
Quote from: defaultuserfoo on June 14, 2022, 07:11:24 AM
Quote from: Vilhonator on June 12, 2022, 09:00:33 PM
Quote from: defaultuserfoo on June 12, 2022, 08:52:55 PM
Such a VPN provider would need to fix their configuration so that pinging is possible ...
Not really. Blocking pings is just a form of protection you can use. Just because you can't ping something doesn't mean connections won't work, it just means you can't find clients and hosts just by sending ICMP traffic over the network.
Ping is at least required for diagnostics, so if they are blocking it, it's a misconfiguration, especially when they don't give you an option to unblock it. What's the point of having a connection that is blocked anyway.
Ping isn't for diagnostics to check if gateway is up, ping is for diagnostics to check if your routes work (which is why you can ping Google or any website or VPN server itself)
Blocking ICMP won't block your connection to the server or network, it just means incoming ICMP traffic from internet is blocked, and can't be pinged outside targets internal network.
You can't block Pings from same networks unless you are using VLANs or some other methods, communication between devices within same network can't be interroupted or blocked.
Point of doing this, is to prevent for example others sniffing your traffic (you think it's impossible to decrypt traffic? There are scripts available on github for decrypt some VPN service providers traffic)
I didn't say anything about gateways.
When ping is blocked, you may find it difficult to check your routes.
Quote from: defaultuserfoo on June 14, 2022, 07:32:02 AM
I didn't say anything about gateways.
When ping is blocked, you may find it difficult to check your routes.
When ping is blocked to the gateway, you can check if it goes to 8.8.8.8 and by running command tracert 8.8.8.8 on windows command line you see if VPN route is used
Quote from: defaultuserfoo on June 14, 2022, 07:11:24 AM
Quote from: Vilhonator on June 12, 2022, 09:00:33 PM
Quote from: defaultuserfoo on June 12, 2022, 08:52:55 PM
Such a VPN provider would need to fix their configuration so that pinging is possible ...
Ping is at least required for diagnostics, so if they are blocking it, it's a misconfiguration, especially when they don't give you an option to unblock it. What's the point of having a connection that is blocked anyway.
I have no idea what you are saying here, friend. A VPN is created by connecting to a service that runs on a server. Once connected, your source address changes per the translation done over that provider's network, thus hiding your original source addy. In this case the server runs wireguard. Whether you connect to that server via router or app you are still connecting to the same server using the same protocol. There should be no routing difference, it's the same server. You can't selectively block ICMP when you are connecting to the same server on the same network. The difference between the app and hardware device is the device, not the protocol or server.
Quote from: Zoik! on June 14, 2022, 07:40:43 AM
Quote from: defaultuserfoo on June 14, 2022, 07:11:24 AM
Quote from: Vilhonator on June 12, 2022, 09:00:33 PM
Quote from: defaultuserfoo on June 12, 2022, 08:52:55 PM
Such a VPN provider would need to fix their configuration so that pinging is possible ...
Ping is at least required for diagnostics, so if they are blocking it, it's a misconfiguration, especially when they don't give you an option to unblock it. What's the point of having a connection that is blocked anyway.
I have no idea what you are saying here, friend. A VPN is created by connecting to a service that runs on a server. Once connected, your source address changes per the translation done over that provider's network, thus hiding your original source addy. In this case the server runs wireguard. Whether you connect to that server via router or app you are still connecting to the same server using the same protocol. There should be no routing difference, it's the same server. You can't selectively block ICMP when you are connecting to the same server on the same network. The difference between the app and hardware device is the device, not the protocol or server.
That's true if you are hosting VPN on your router and connecting your computer to it using app or via ethernet.
When you connect to your VPN remotely (when your PC is connected to different router or firewall with different public IP), routes change.
VPNs don't magically hide your IP or traffic, they encrypt traffic and hide your IP behind servers IP.
At some point, the traffic must be decrypted (If your firewall uses VPN, then it's done on that, if you use App, then app does it).
You can even block VPN connections by adding VPN network in question to firewall blocks or by using proxies, that's because your computer must have free access to VPN server, to be able to connect to it.
All VPN does makes it harder to trace your traffic, but there are many cases where hackers have managed to steal peoples credit cards and such, due to stupidity and people thinking VPNs are 100% secure
I want to make sure that this discourse stays friendly and within the realm of technical solutions. I'm stating that because technical conversations get out of control quickly and want to make sure you know my tone is one of trying to find a solution.
So, in the interest of debating solutions, all the below states is the VPN process, which is simple and not in debate here. What I'm saying is that I am connecting to the same server, same port, same protocol, different mediums. The difference is the device. There is no routing difference because I am connecting from a router rather than an app. They are both configured in essence identically, yet one can ping and other can't. That suggests a misconfiguration on the device rather than a filter rule.
Quote from: Zoik! on June 14, 2022, 08:22:56 AM
I want to make sure that this discourse stays friendly and within the realm of technical solutions. I'm stating that because technical conversations get out of control quickly and want to make sure you know my tone is one of trying to find a solution.
So, in the interest of debating solutions, all the below states is the VPN process, which is simple and not in debate here. What I'm saying is that I am connecting to the same server, same port, same protocol, different mediums. The difference is the device. There is no routing difference because I am connecting from a router rather than an app. They are both configured in essence identically, yet one can ping and other can't. That suggests a misconfiguration on the device rather than a filter rule.
In that case, check the local IPs of both devices.
If you are hosting the VPN server, then you need to check the firewall rules.
Ping being blocked by one device connected to it same way than different device, would imply that both are connecting to a different network which makes it external connection to which you try to ping.
To put it simple. If device A connects to VPN and gets local IP of 172.16.20.100, device B gets IP 172.16.10.100 and same subnet or Device A has ip 172.16.10.100 and device B has 172.16.10.101 but different subnet mask than device A, then devices are connecting to different networks.
To put it even simpler:
VPN works same way as if you would connect to your computer using secure remote desktop connection at your mothers house 1000 km away from your home. Unless it is properly set up or you really can trust that complete stranger who happens to offer VPN service, not using VPN is by far lot more safer
It was a default gateway misconfiguration in Opnsense.