Isolating OpenVPN Network
-
Hi guys,
I've got 3 OpenVPN servers. I would like to isolate one of the servers from my LAN and WebConfigurator. This server will be for foreign clients.
Is there any easy way I can isolate only one OpenVPN server from my LAN and WebConfigurator? However I would like all foreign clients to be able to access internet trough the VPN tunnel.
I'm looking forward to hearing from you.
Regards,
Nick -
Firewall rules on the OpenVPN Tab and/or the OpenVPN assigned interface tab.
Block local assets, pass any (the internet).
-
Hi Derelict,
Thanks for your quick reply! Other 2 VPN Servers are using the same interface. Wouldn't that be a problem?
Regards,
Nick -
Either assign an interface to that OpenVPN instance or block sourced from that tunnel network.. or both.
-
Thanks Derelict.
Took me ages to de-cypher your advise, but that's because it's been long time since I haven't created/edited any firewall rules.
I'm wondering, if I block all sourced traffic, I'll loose internet connectivity as well, because all packets to my WAN are sourced from my OpenVPN, am I right?
What I did is introducing the following 4 rules:
1. Protocol IPV4 TCP Source LAN net Port * Destination 192.168.10.0/24 [That's the VPN network I'm trying to isolate] Port * Gateway * - with this rule I boock all packets from LAN to my isolated OpenVPN network.
2. Protocol IPV4 TCP Source 192.168.10.0/24 Port * Destination LAN net Port * Gateway * - with this rule I block all packets from the isolated OpenVPN to LAN
3. Protocol IPV4 * Source 192.168.10.0/24 Port * Destination OPENVPN net Port * Gateway * - with this rule I block all packets from isolated OpenVPN to other VPN networks
4. Protocol IPV4 * Source * Port * Destination * Port * Gateway * - allow all trafficDo those rules make sense? Can you please advise if I'm missing something.
Regards,
Nick -
Thanks Derelict.
Took me ages to de-cypher your advise, but that's because it's been long time since I haven't created/edited any firewall rules.
I'm wondering, if I block all sourced traffic, I'll loose internet connectivity as well, because all packets to my WAN are sourced from my OpenVPN, am I right?
What I did is introducing the following 4 rules:
1. Protocol IPV4 TCP Source LAN net Port * Destination 192.168.10.0/24 [That's the VPN network I'm trying to isolate] Port * Gateway * - with this rule I boock all packets from LAN to my isolated OpenVPN network.
All TCP packets, anyway, assuming it is on the LAN interface.
2. Protocol IPV4 TCP Source 192.168.10.0/24 Port * Destination LAN net Port * Gateway * - with this rule I block all packets from the isolated OpenVPN to LAN
3. Protocol IPV4 * Source 192.168.10.0/24 Port * Destination OPENVPN net Port * Gateway * - with this rule I block all packets from isolated OpenVPN to other VPN networks
4. Protocol IPV4 * Source * Port * Destination * Port * Gateway * - allow all trafficImpossible to say since you didn't say what interfaces those rules are on.
-
Sorry, I forgot to specify. I have 3 interfaces: WAN, LAN and OpenVPN. All the rules above apply to OpenVPN interface only.
-
You need a better grasp regarding what firewall rules should go where:
https://doc.pfsense.org/index.php/Firewall_Rule_Basics
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting