Does a VPN connection bypass a router's firewall?

I've been looking at VPN providers lately and I noticed that Vypyr VPN provides a firewall for an extra monthly charge. On their firewall page it says the following:

When you connect to VyprVPN, you tunnel past your wireless router and get your own dedicated connection to the Internet. This connection isn't shared, so ... unrequested inbound scans are no longer blocked.

HMA is another provider I was looking at, and I noticed that they have no mention of a firewall. So I shot them them and email and got the following response:

A VPN doesn't bypass your OS / router firewall. And a VPN doesn't act as a firewall either. We do not provide addon firewall service. You will need a good Antivirus/firewall protection suite to prevent malwares and intrusion.

So who is right? Do VPN connections bypass router firewalls? Did I just read Vypyr's site incorrectly?


Solution 1:

VPN's per se do not bypass firewalls, they "tunnel" through them. Let me try and explain this in more detail.

When your computer wants to get content for e.g. a particular web page, it creates an HTTP request. This packet is wrapped into a TCP packet, the name of the website is resolved to an IP address, and the TCP packet is handed over to the IP layer for routing. The IP layer decides, based on the IP address and its routing tables, where to send the packet (the next hop router, which is usually your default gateway). It wraps the TCP packet into an IP datagram, puts the MAC address of the next hop router into it and hands it over to the ethernet interface, which transmits the whole shebang onto the wire.

Firewalls work at the IP layer of this whole machinery (well, usually they do). Your normal SOHO router/gateway/modem device will have a firewall that allows outgoing connections and any return packets for these.

Now what happens when you establish a VPN connection? The VPN client creates a connection to a VPN server somewhere else. The important part is that it then also alters your routing tables, which generally results in the fact that the IP layer now routes all or some of your outgoing traffic into the VPN client instead of directly out the interface. The VPN client then wraps the entire IP datagram into another TCP packet (and at this precise moment the original packet becomes effectively invisible to the IP layer), and this packet is now sent to the VPN server (which unwraps it and then passes it on).

The net effect of this is that of a "tunnel". Firewall and routing rules which would ordinarily apply to a packet are "bypassed" by pushing the packet through the VPN connection. Which also means that if the VPN tunnel handles ALL your outgoing traffic, then any protection mechanisms that are applied at the SOHO router are now ineffective.

I hope this explains the meaning of "bypassing" in this context.

Solution 2:

For maximum lulz, they're both wrong -- and both right.

A VPN will allow traffic that might otherwise have been blocked by an intermediate firewall to pass, simply because the traffic doesn't look like any that the firewall rules are designed to block. For instance, if a firewall is configured to block all incoming connections destined for the internal machine, that traffic will not be blocked by the firewall if it's encapsulated in the VPN, for the simple reason that the traffic, from the firewall's perspective, looks like the VPN traffic.

On the other hand, the firewall is still capable of having rules that result in blocking the VPN traffic itself (regardless of what the VPN traffic is), if configured to do so (which would mean that your VPN wouldn't work) -- so you do need to be mindful of your firewall rules in that respect.

Also, firewalls at the VPN endpoints can affect traffic, because they can see the traffic as it comes out of the VPN tunnel and becomes regular traffic. I suspect Vypyr's firewall service is something that filters traffic before it enters the VPN and travels to your endpoint, saving you the cost of having to carry that traffic only to drop it at your end.

Solution 3:

"doesn't bypass your router firewall." is wrong, at least for intuitive understanding of "bypass": what you get is a network interface on your computer that appears to be directly connected to their network. So I would have thought that the OS firewall applies but the router can't see any of the packets. Vypr are correct.