Bug 12111

Summary: Suricata does not inspect traffic from OpenVPN networks
Product: IPFire Reporter: Peter Müller <peter.mueller>
Component: ---Assignee: Stefan Schantl <stefan.schantl>
Status: CLOSED FIXED QA Contact: Peter Müller <peter.mueller>
Severity: Security    
Priority: Will affect most users CC: michael.tremer
Version: 2Keywords: Security
Hardware: all   
OS: All   
Bug Depends on:    
Bug Blocks: 12052    

Description Peter Müller 2019-07-04 17:34:06 UTC 
At the moment, Suricata inspects traffic from IPsec connections as they are routed via RED. However, it does not observe anything on OpenVPNs tun0 interface - traffic from remote OpenVPN RW/N2N connections will not be scanned.
Comment 2 Michael Tremer 2019-12-16 11:04:49 UTC 
(In reply to Stefan Schantl from comment #1)
> https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;
> h=896840eaf295996cba86a47a4cb38f401d2c692f

I do not entirely agree with the patch:

a) You are only scanning RW
b) You check if the OpenVPN daemon is running and you should always add the subnets even if the daemon is not running

Would have been better to comment on the mailing list :)
Comment 3 Stefan Schantl 2019-12-17 11:58:44 UTC 
Hello Michael thanks for your feedback.

You are right, commenting on the ML is much easier. I'll send a new patch directly to the mailing list.
Comment 4 Stefan Schantl 2019-12-17 12:08:41 UTC 
Patch has been sent to the development mailing list:

https://patchwork.ipfire.org/patch/2649/