CIS firewall and VPN inspecting

I’m using public VPN service to protect my network traffic. VPN server assigns public IP address and doesn’t offer NAT function. I don’t know how to protect my computer from unsolicited inbound traffic now. Many sources in the internet testify that firewalls aren’t able to inspect tunnelled vpn traffic. So, my questions are:
1.Does Comodo Firewall filter (inspect) VPN traffic (L2TP/IPSec, IKEv2, SSTP, OpenVPN)? I mean does it able to block unsolicited inbound vpn traffic from public VPN server side (from VPN server, from other this VPN server’s users or from any internet user) to my computer?
2. Why ‘‘Comodo Internet Security Firewall Driver’’ item appears in TAP device (OpenVPN) interface and doesn’t in L2TP, IKEv2, SSTP WAN miniport interfaces?
3. How to configure a) Global Rules, b)Application Rules and c)Network Zones to be sure my VPN traffic is being inspected? Please provide configuration examples for OpenVPN (standard community software, port TCP 443) and for IKEv2 (Windows built-in software) if it is possible.

In my ignorance I was recently wondering about whether firewalls can filter tunneled or encrypted traffic myself until I got a vpn and observed that all the website filtering rules (to block ads and trackers on webpages) I had previously created on the Comodo firewall were no longer affecting my network traffic. Just like any other personal firewall, Comodo’s is unable to filter externally encrypted traffic. Which shouldn’t be surprising at all given that one of the main uses of tunneling and encryption techniques is precisely to ensure that information is unreadable to third parties, thus kept private (and the task of deciphering such information would probably be impractically ■■■■■■■ time and system resources anyway).

When I connect to the internet without the vpn, the firewall’s dashboard will display multiple connections under multiple instances. If connect through the vpn, the dashboard will typically display only one persistent connection called “openvpn.exe”, regardless of the actual number of applications connected to the internet at any moment. To see this network activity in detail I have to open another network monitor program.

Whether the firewall’s inability to decode the information opens a door to possible attacks is something that intrigues me as well. Probably depends on the intrinsic vulnerabilities of the vpn implementation or configuration. But I’d think that if your vpn goes to the extent of also hiding your IP address (mine does and I can choose a different IP address every time I connect) then you aren’t necessarily more exposed without the firewall’s scrutiny. That’s assuming that your vpn server is trustworthy and you’re not an internet illiterate, of course.

Which leads me to another question: whether vpns can render firewalls obsolete… Not to imply that vpns are the be-all and end-all of internet security. There are other things against which vpns don’t offer much protection by default (fingerprinting, for example), but I can’t see what’s the use of a personal firewall that is unable to prevent unrestricted traffic through a vpn tunnel (assuming this is where all the computer’s network activity happens). Would be interesting to see a discussion in this regard, if pertinent. I’m still learning, feeling that something escapes me here.

The only thing I can see a firewall like Comodo’s doing to protect against an attack perpetrated through a vpn tunnel is blocking all network traffic. Can be impractical in many cases. Unless there is a way to come up with a setup where the firewall lies in front of the vpn client from the host’s system perspective…

Shortly after leaving this post, I realized how wrong I was. A firewall is still important even if just to control the ports of a computer. Turns out that my vpn client software already has some sort of built-in firewall which ensures that the only open port on my PC is the one being used by the vpn.

Control of the ports is a critical security measure, especially when using a vpn.

CFW works fine for me with OpenVPN.

Thank you for your reply. It seems that CIS firewall really doesn’t inspect VPN traffic and it means that using public VPN service is considerable security risk. Known and accessible public VPN servers (+assigning public IP address to the client), NAT absence on servers and not inspected VPN traffic on the client side make users of public VPN vulnerable to the intruders and absolutely vulnerable to the owners of VPN servers. There are some methods and approaches that allow users to be connected if they are clients of the same VPN server. Therefore the role of firewall is critical in these circumstances.
So, the general formula is:
Bad implementation of VPN (I have never seen good implementation of public VPN) +
Not inspected VPN traffic on the client side=
It’s a good idea to put firewall in front of VPN client software. Is it possible? What kind of software do you use to view network connections under openvpn.exe?

Does CFW inspect your OpenVPN traffic? Can you give evidence?

Which part are we talking about here, CFW showing alerts for applications normally when using an OpenVPN connection or showing alerts for OpenVPN?

When I’m connected to a VPN via OpenVPN and then open for example FireFox.exe with firewall in Custom ruleset and no rules for it then I’ll see alerts for FireFox for outgoing traffic.

What kind of evidence are you interested in?

Hi, I would like to clarify whether CFW can block unsolicited traffic when I’m connected to the internet via VPN (assuming all network traffic goes thru the VPN).
Have you ever seen alerts for inbound traffic when you are connected via OpenVPN (for any app or for openvpn.exe)?
I would like to see screenshots of your firewall’s dashboard (list of network connections) when you connect to the internet via OpenVPN and without the VPN.
What kind of rules do you use for openvpn.exe? Do you have special configuration of Network zones for VPN connections?

Sorry for the late response, messed up my system causing “Missing operating system” so had to fix that first.

Anyway, I made a video Desktop 2015 10 20 12 24 15 02 - YouTube (may still be processing)

CFW can block inbound traffic coming through the VPN, it will show as coming from the real sender and will be alerted for the actual process (or “Windows Operating System” if no process is listening to that port)

I have seen alerts for inbound traffic as you can see in the video, the inbound traffic is showed for the application, not openvpn.exe.

I have openvpn.exe set to Allowed Application usually (the visible traffic will be that between you and the VPN server, not the traffic that goes through the VPN… if that makes sense?) I have a network zone for the MAC address of the TAP device which I use for certain applications so they can’t communicate unless it’s via the TAP device.

I think it should be possible, but I don’t know how to set this up on my system.

I use Process Hacker. Comodo’s Killswitch (based on Process Hacker and included in CFW) does the same. But these won’t show every single connection. Maybe some sort of network monitor/sniffer could do the trick.

Note that I’m connecting to the vpn server through their own software (which already includes a built-in firewall of some sort), not with a simple open vpn client. So maybe that’s why my Comodo firewall can’t filter the traffic. I trust my vpn provider since I’ve read nothing but good things about them. Cyberghost.

Sorry for superlate reply and thank You very much for this great demonstration video. OpenVPN traffic really has been filtered by CIS firewall. But I still have some questions:

  1. What kind of rule I have to set to block all inbound connections in OpenVPN session context (I don’t need peer to peer etc.)? Are these ok?
    App rule for openvpn.exe: outgoing only
    Global rule: Block IP in From MAC Any To In [OpenVPN network zone] Where Protocol Is Any

  2. What about others VPN protocols, for example IKEv2? ‘‘Comodo Internet Security Firewall Driver’’ item doesn’t appear in L2TP, IKEv2, SSTP WAN miniport interfaces. Should I to configure a network zone for IKEv2 using assigned by VPN server IP address in this case?