Safe Access Does using a VPN bypass Safe Access?

Currently reading
Safe Access Does using a VPN bypass Safe Access?

16
3
NAS
DS418play
Router
  1. RT2600ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Hi - I am configuring Safe Access on my RT2600ac running SRM 1.2.3-8017 Update 4.

I am testing blocking sites on my own phone before I do it for my kids devices, and it initially does not block the sites. Then I realize I have my VPN on, and I turn it off and the sites are blocked.

Does using a 3rd party VPN bypass Safe Access altogether? Apparently that is the case, and from what I know about a VPN it would do that, but I wanted to confirm if others experienced this as well.

It won't be an issue with my kids devices as they don't have a VPN on them.

Thanks!

mp/m
 
Yes, connecting to an Internet VPN service from a client on you LAN will by-pass your router's protection mechanisms.

When you create the tunnel to the VPN server what you're doing is forcing all traffic* from that device down the tunnel to whatever servers are at the other end: DNS, proxies, filtering, sniffers, loggers, etc. so you should trust whoever is running that end service because, just like your ISP, they can see what you're doing.


* there will be a little bit of local traffic that keeps the tunnel up and MAC addressed stuff but all the major activity is sent down the tunnel. The tunnels effectively walls off the device from the LAN ... so you won't be able to use your printer or control any home devices (unless they are Internet accessible and you use the URLs you would if your were on the Internet ... because in effect you are on the Internet).
 
Last edited:
Some very quick testing...

My normal SRM firewall rules include specific outbound rules to permit LAN, Guest WiFi, VPN client LANs to access the Internet: the help on SRM firewall says that LAN-side traffic isn't handled by the firewall ... implies that LAN to/from Guest to/from VPN clients are not mediated by the firewall.

I see loads of hits on outbound LAN-side connections in the firewall counters.

I also have all the default catch-all rules (at the bottom of the policy window) set to deny.

Test 1

Add deny rule specifically for my iPhone's LAN IP going to Internet destinations on ports 80 and 443. Placed at the top of the firewall ruleset.

The iPhone now is blocked for new (uncached) web destinations and the new rule's hits are increasing.

Test 2

Remove Test 1's rule.
Deactivate my allow rule for LAN subnet to Internet. There is now no specific rule to allow LAN devices to access the Internet.

The result is that new web destination requests are still successful. This implies that the SRM firewall defaults to allowing outbound requests, but will deny if there's an explicit rule to do so.*

Conclusion
  1. You can use a deny rule to stop LAN-side devices from initiating outbound connections.
  2. You don't have to have a rule to allow LAN-side devices to access the Internet.
Recommendation

Use the LAN-side DHCP server to reserve IP addresses for devices. You can then create deny rules to stop specific devices, or range of LAN IPs, from outbound access to specific ports/applications. Any unspecified LAN IPs will still have access to these Internet destinations.

Note: By manually grouping similar devices into DHCP IP ranges (e.g. kids get x.x.x.50 to x.x.x.60 range) you will be able to minimise the firewall deny rules.


* this is why every firewall admin gets taught to end their firewall rulebase with an explicit any/any/any/drop ... where drop doesn't reply to the initiator so no signal to validate that something is at the destination IP.



Edit:

It occurs to me that if there are implied allow rules for LAN to Internet then these will be at the bottom of the firewall's rules, otherwise the deny rule in Test 1 wouldn't have worked.

For most people their SRM router will mostly be handling outbound connections (by one or two orders of magnitude vs inbound) so it is not efficient to have the rules at the end of the ruleset: the firewall tests each rule in sequence, top to bottom, until it finds a match and then actions the deny/allow.

By adding your own explicit rules for LAN to Internet and placing these towards the top of the ruleset then you'll have some optimisation in the router performance.

Also, if you really want to implement an any/any/any/deny rule at the end of the firewall's ruleset then you'll have to disable Port Forwarding's automatic firewall rules setting and do these by hand.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Few day update since the change to EXT4 format on M.2 in USB3 enclosure at USB3 speeds connected to 2600...
Replies
4
Views
1,757
VPN Plus, VPN Access and Site-to-Site VPN will continue to be free to purchase Bellevue, WA—September 17...
Replies
0
Views
1,935
@Shadow Hello - I'm new to Synology routers and want to do what you have done and connect two NAS at...
Replies
2
Views
2,748
There is still no option in the Threat Prevention package to tell it to ignore Site-to-Site VPN tunnels...
Replies
0
Views
1,774

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top