Zenamour not respecting default gateway to contact bc.googleusercontent.com:5355

[jkemp]

Hello,

I have a question about why Zenamour is using my WAN interface to contact Google user content servers when my default gateway is on a VPN? When I disable Cloud Threat it stops logging those connections on port :5355, but as one would guess I need it enable to get up-to-date info. That's okay, but why bypass my VPN to do that?

I'm I wrong here? Can someone help me understand why or how is this package is able to do that?
Use my ISP WAN connection, instead of my VPN?

James

[mb]

Hi @jkemp,

Cloud queries should be routed through according to the FW's routing table. Zenarmor does not modify routing entries.

Maybe the VPN route is not in effect for FW originated connections?

[jkemp]

All of my other traffic goes through the VPN interface. If the VPN fails, I have no internet. Kind of a kill switch. This is why I am asking how is Zenamour able to go directly through my WAN interface? I have seen OPNsense timeservers do this also.

Thanks for the quick response, also I really like the Zenamour filtering and reporting capabilities, So I really want to find out why this is happening.

[mb]

Got it, thanks. Any chance you run a traceroute to 1.1.1.1 from the firewall console? Does that use the expected route?

[jkemp]

No it doesn't. It also passes right through on the WAN interface. Can you point me to where I can close this bypass? Maybe do a little more studying on the situation?

[mb]

Hi @jkemp,

Got it. This means the firewall itself does not use the VPN route.

It's a bit tricky and also very hard to provide guidance without having a look at the whole configuration.

But in a nutshell, you'd want to route everything (0.0.0.0/0) through the VPN gateway, with the exception of the VPN server. The communications to the VPN server should use the existing ISP route; since otherwise you'd lose VPN connection.

[jkemp]

I agree, I mention the time-servers are also bypassing. Thank you for all the quick responses. Got a little digging to do. I suspect it may be a race going on. 99% of the traffic does use the VPN. Seems to be what's built into OPNsense that's on the move.