OpenVPN disallow traffic to LAN and WAN only VPN

OwlBear

How can I set up my pfsense firewall so I can access my own internet from the LAN side? (pfsense firewall is installed on a vmware machine and I have set up a lab with vmware clients that also need internet action.)

viragomann

@owlbear
Not really clear what you want to achieve.
pfSense is by default configured to be an upstream router. From devices in the LAN subnet it allows access to anywhere, internet and other local subnets as well.

If you had run the OpenVPN wizard to set up a server it allows the same for OpenVPN clients.

As any other upstream router the local devices must be configured to use it as gateway.
If you want to enable a DHCP server on LAN for automatic configuration, you have to configure it in Services > DHCP server.

OwlBear

@viragomann thank you but with my question I mean I don't want to allow traffic to the LAN and WAN subnet. I only want to allow accessibility for people connecting to the VPN to the VPN subnet nothing else.

For example LAN: 192.168.100.0/24 = block
For example WAN: 192.168.0.1/24 = block
VPN: 192.168.128.0/24 = allow

Actually I mean that you can access the VPN subnet as a VPN user but not the WAN or LAN subnet.
.

viragomann

@owlbear said in OpenVPN disallow traffic to LAN and WAN only VPN:

I only want to allow accessibility for people connecting to the VPN to the VPN subnet nothing else.

VPN subnet means, the tunnel network. So that the clients can access pfSense itself?

For example LAN: 192.168.100.0/24 = block
For example WAN: 192.168.0.1/24 = block
VPN: 192.168.128.0/24 = allow

So edit the pass rule on the OpenVPN tab and set the destination to network and enter 192.168.128.0/24.
Since this rule doesn't allow any other destination, access is blocked.

However, consider that a rule on the OpenVPN tab is applied to all OpenVPN instances, either servers or clients.
So if you run multiple instances, you should assign interfaces to them and define your rules on this.

If you want to allow the OpenVPN clients to talk with each other, you have to allow this in the vpn server settings. Basically traffic between the clients doesn't pass the firewall.

OwlBear

@viragomann said in OpenVPN disallow traffic to LAN and WAN only VPN:

nel network. So that the clients can access pfSense itself?

For example LAN: 192.168.100.0/24 = block

Yes this kinda works for the LAN but not for the WAN. VPN is accessible, The Lan isn't anymore from the VPN subnet but the WAN can still be reached/pinged.

viragomann

@owlbear said in OpenVPN disallow traffic to LAN and WAN only VPN:

but the WAN can still be reached/pinged.

You mean the WAN address? This is not routed through the VPN and must not be. So access to it doesn't go through the OpenVPN interface.
You must block it on WAN. Normally you should only have allowed on WAN, what you need. E g only the OpenVPN port 1194.

OwlBear

@viragomann thanks you are right. I misunderstood that part. Only the machines on the LAN not the WAN side.