Safe Access Does using a VPN bypass Safe Access?

Currently reading
Safe Access Does using a VPN bypass Safe Access?

7
3
NAS
DS418play
Operating system
macOS
Hi - I am configuring Safe Access on my RT2600ac running SRM 1.2.3-8017 Update 4.

I am testing blocking sites on my own phone before I do it for my kids devices, and it initially does not block the sites. Then I realize I have my VPN on, and I turn it off and the sites are blocked.

Does using a 3rd party VPN bypass Safe Access altogether? Apparently that is the case, and from what I know about a VPN it would do that, but I wanted to confirm if others experienced this as well.

It won't be an issue with my kids devices as they don't have a VPN on them.

Thanks!

mp/m
 

fredbert

Moderator
NAS Support
Subscriber
1,171
502
Operating system
macOS
Mobile operating system
iOS
Yes, connecting to an Internet VPN service from a client on you LAN will by-pass your router's protection mechanisms.

When you create the tunnel to the VPN server what you're doing is forcing all traffic* from that device down the tunnel to whatever servers are at the other end: DNS, proxies, filtering, sniffers, loggers, etc. so you should trust whoever is running that end service because, just like your ISP, they can see what you're doing.


* there will be a little bit of local traffic that keeps the tunnel up and MAC addressed stuff but all the major activity is sent down the tunnel. The tunnels effectively walls off the device from the LAN ... so you won't be able to use your printer or control any home devices (unless they are Internet accessible and you use the URLs you would if your were on the Internet ... because in effect you are on the Internet).
 
32
7
NAS
DS218+
Router
RT2600ac
Operating system
Linux, Windows
Mobile operating system
Android
You can create a rule in your firewall to block access for certain ip's bound to certain devices to block VPN TCP/UDP ports.
 
315
121
NAS
DS216+II, DS118, DS718+
Router
RT2600ac, MR2200ac
Operating system
Windows
Mobile operating system
Android
You can create a rule in your firewall to block access for certain ip's bound to certain devices to block VPN TCP/UDP ports.
SRM firewall doesn't block outgoing traffic.
 

fredbert

Moderator
NAS Support
Subscriber
1,171
502
Operating system
macOS
Mobile operating system
iOS
Some very quick testing...

My normal SRM firewall rules include specific outbound rules to permit LAN, Guest WiFi, VPN client LANs to access the Internet: the help on SRM firewall says that LAN-side traffic isn't handled by the firewall ... implies that LAN to/from Guest to/from VPN clients are not mediated by the firewall.

I see loads of hits on outbound LAN-side connections in the firewall counters.

I also have all the default catch-all rules (at the bottom of the policy window) set to deny.

Test 1

Add deny rule specifically for my iPhone's LAN IP going to Internet destinations on ports 80 and 443. Placed at the top of the firewall ruleset.

The iPhone now is blocked for new (uncached) web destinations and the new rule's hits are increasing.

Test 2

Remove Test 1's rule.
Deactivate my allow rule for LAN subnet to Internet. There is now no specific rule to allow LAN devices to access the Internet.

The result is that new web destination requests are still successful. This implies that the SRM firewall defaults to allowing outbound requests, but will deny if there's an explicit rule to do so.*

Conclusion
  1. You can use a deny rule to stop LAN-side devices from initiating outbound connections.
  2. You don't have to have a rule to allow LAN-side devices to access the Internet.
Recommendation

Use the LAN-side DHCP server to reserve IP addresses for devices. You can then create deny rules to stop specific devices, or range of LAN IPs, from outbound access to specific ports/applications. Any unspecified LAN IPs will still have access to these Internet destinations.

Note: By manually grouping similar devices into DHCP IP ranges (e.g. kids get x.x.x.50 to x.x.x.60 range) you will be able to minimise the firewall deny rules.


* this is why every firewall admin gets taught to end their firewall rulebase with an explicit any/any/any/drop ... where drop doesn't reply to the initiator so no signal to validate that something is at the destination IP.



Edit:

It occurs to me that if there are implied allow rules for LAN to Internet then these will be at the bottom of the firewall's rules, otherwise the deny rule in Test 1 wouldn't have worked.

For most people their SRM router will mostly be handling outbound connections (by one or two orders of magnitude vs inbound) so it is not efficient to have the rules at the end of the ruleset: the firewall tests each rule in sequence, top to bottom, until it finds a match and then actions the deny/allow.

By adding your own explicit rules for LAN to Internet and placing these towards the top of the ruleset then you'll have some optimisation in the router performance.

Also, if you really want to implement an any/any/any/deny rule at the end of the firewall's ruleset then you'll have to disable Port Forwarding's automatic firewall rules setting and do these by hand.
 
Last edited:

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top