Should a VPN be it's own firewall Zone

Hi All

Most of the documentation for setting up OpenVPN suggest adding the TUN device to either the LAN or WAN firewall zone. Wouldn't it be better to set up the VPN as it's own firewall zone and then configure a forwarding as needed?

I'm trying to set up a site to site VPN allowing all the clients to communicate with each other. Most to the documentation seems geared towards run all traffic through the VPN.



It depends on the use case. If the vpn server is supposed to extend the lan, it makes sense to add it in the lan zone. If the vpn client provides internet, it makes sense to add it in the wan zone. If, however, the vpn provides internet and you also need a killswitch, then adding it in a different zone is a good idea.

Adding the vpn in the lan interface is a good idea here. However not all traffic needs to go through the vpn, only the interesting traffic.

1 Like

If you want to fully merge the networks and you trust everyone at all the sites, it would be appropriate to put the VPN tunnel into the LAN zone.

1 Like

My site-to-site VPN is in it's own firewall zone.

Hi All

Thanks the for the replies.

I understand that the VPN server can be treated as being "secure" (assuming you trust everyone you give log in details to) and therefore part of LAN and a Client could be LAN or WAN depending on how it's used.

The Firewall documentation seems to suggest a device shouldn't be added to a zone:

"Avoid using device if you have already defined network . Using network is preferable in general unless the interface is undeclared"

The device option is specifically suitable for OpenVPN as it lacks built-in netifd support.
OpenVPN client tun adapter loses its IP address on network restart

1 Like

Hi vgaetera

I did see something about that in the documentation (see link at bottom). I'm still not 100% sure what netifd is...
I'm going to go read the documentation of netifd again, but anything you can do to expand your answer would be appreciate :slight_smile: