Ping over VPN

[Zoik!]

Running Opnsense w/Wireguard VPN. Everything working spectacularly except PING. All my network traffic is routed through the VPN and I have a rule to allow ICMP. The rule looks like this:

IPv4 ICMP   LAN net   *   *   *   VPN_GATEWAY   *

If I change the gateway to the WAN it pings. If I leave it on the VPN gateway it does not.

Must be something simple here.....

[defaultuserfoo]

Maybe it's because you're trying to force traffic over a "far" (i. e. unreachable?) gateway rather than allowing it to be routed according to the routing table.

[Zoik!]

It doesn't work without the rule either though....

[defaultuserfoo]

I thought it works when not specifying a gateway.  Where do you have the rule?

[Zoik!]

If I change my gateway to WAN under the rule it works, if I use default or the VPN gateway no ICMP.

I have the rule under LAN.

[defaultuserfoo]

Hmm, that's weird.  What happens to the pings when you use the default gateway?  Did you check the firewall log or a packet capture?

[Vilhonator]

If your VPN is hosted by some server outside your network and VPN connection works just fine (meaning you can access internet and everything you need), then it means VPN host is blocking ICMP traffic either because it's hosted on router or server behind a router which has enabled DoS attack protection or simply firewall which server is protected by blocks ICMP traffic.

[defaultuserfoo]

Such a VPN provider would need to fix their configuration so that pinging is possible ...

[Vilhonator]

Such a VPN provider would need to fix their configuration so that pinging is possible ...

Not really. Blocking pings is just a form of protection you can use. Just because you can't ping something doesn't mean connections won't work, it just means you can't find clients and hosts just by sending ICMP traffic over the network.

[Zoik!]

Thank all for trying to  answer this. Yes, the first thing I thought was that they were blocking ICMP by default, but in trying to troubleshoot the problem I decided to use their app to connect to servers within the same relative region. Ping works over the app.

It's a weird one for sure.

[Vilhonator]

Thank all for trying to  answer this. Yes, the first thing I thought was that they were blocking ICMP by default, but in trying to troubleshoot the problem I decided to use their app to connect to servers within the same relative region. Ping works over the app.

It's a weird one for sure.

So yes, they are blocking ICMP.

If you need to use app to Ping VPN gateway, it means they are blocking ICMP traffic. App will connect your computer to internal network of VPN server, which is why ping works.

You can think it this way: How smart would it be to allow people find out if your server, which must have certain ports open to public is up and running without knowing exactly what it's IP is and which ports must be open?

If someone knows your companies DNS server hosted on AWS route 53 is up and runing and has open port, they can spam to it, which might at least cause quite a bit of expense (53$ per 1 million queries per month to be exact). Imagine waking up one morning and seeing that there were up to 30 billion queries going to your server last night xD

[defaultuserfoo]

Such a VPN provider would need to fix their configuration so that pinging is possible ...

Not really. Blocking pings is just a form of protection you can use. Just because you can't ping something doesn't mean connections won't work, it just means you can't find clients and hosts just by sending ICMP traffic over the network.

Ping is at least required for diagnostics, so if they are blocking it, it's a misconfiguration, especially when they don't give you an option to unblock it.  What's the point of having a connection that is blocked anyway.

[Vilhonator]

Such a VPN provider would need to fix their configuration so that pinging is possible ...

Not really. Blocking pings is just a form of protection you can use. Just because you can't ping something doesn't mean connections won't work, it just means you can't find clients and hosts just by sending ICMP traffic over the network.

Ping is at least required for diagnostics, so if they are blocking it, it's a misconfiguration, especially when they don't give you an option to unblock it.  What's the point of having a connection that is blocked anyway.

Ping isn't for diagnostics to check if gateway is up, ping is for diagnostics to check if your routes work (which is why you can ping Google or any website or VPN server itself)

Blocking ICMP won't block your connection to the server or network, it just means incoming ICMP traffic from internet is blocked, and can't be pinged outside targets internal network.

You can't block Pings from same networks unless you are using VLANs or some other methods, communication between devices within same network can't be interroupted or blocked.

Point of doing this, is to prevent for example others sniffing your traffic (you think it's impossible to decrypt traffic? There are scripts available on github for decrypt some VPN service providers traffic)

[defaultuserfoo]

I didn't say anything about gateways.

When ping is blocked, you may find it difficult to check your routes.

[Vilhonator]

I didn't say anything about gateways.

When ping is blocked, you may find it difficult to check your routes.

When ping is blocked to the gateway, you can check if it goes to 8.8.8.8 and by running command tracert 8.8.8.8 on windows command line you see if VPN route is used