VPN Help: site to site but one way access

mrwildbob

I am starting over with my VPNs and need some advice.

I have two clients that I manage their network. I have setup an OpenVPN server at my house and OpenVPN clients at the client side. All sites using pfSense/OpenVPN.

The VPNs are working as a site to site config. I would like to prevent the clients from seeing each other (which I think I got working) AND seeing the server network but the server network can see them both. Basically I dont want the clients to see my local network at home.

Ive tried several Firewall Rules but I cant seem to get it to work in a one way direction. So far its either all or nothing.

I need some pointers.

Thanks

viragomann

@mrwildbob
That's just a thing of firewall rules according to the pfSense rule behavior. Add your rules to the incoming interface.

So if you don't need the clients to talk to each other, but only access a server at your home, add a pass rule to the VPN interface to allow it. Limit the destination to the server IP and the protocol to what you need.

stephenw10

If you only ever want to connect from the server to the clients just don't add any pass rules at the server end.

mrwildbob

@stephenw10 I was thinking the same thing but it didnt work. I removed all rules from both sides.

Here are my ping results:

Server Side
From PFSense Ping gui:
LAN - Tun Rem - 10.3.101.2 - No
LAN - Tun Loc - 10.3.101.1 - Yes
LAN - LAN Rem - 192.168.14.1 - No

OVPN - Tun Rem - 10.3.101.2 - No
OVPN - Tun Loc - 10.3.101.1 - Yes
OVPN - LAN Rem - 192.168.14.1 - No

From PC Command Prompt:
PC - Tun Rem - 10.3.101.2 - No
PC - Tun Loc - 10.3.101.1 - Yes
PC - LAN Rem - 192.168.14.1 - No

Client Side
From PFSense Ping gui:
LAN - Tun Rem - 10.3.101.1 - No
LAN - Tun Loc - 10.3.101.2 - Yes
LAN - LAN Rem - 10.51.50.1 - No

OVPN - Tun Rem - 10.3.101.1 - No
OVPN - Tun Loc - 10.3.101.2 - Yes
OVPN - LAN Rem - 10.51.50.1 - No

From PC Command Prompt:
PC - Tun Rem - 10.3.101.1 - No
PC - Tun Loc - 10.3.101.2 - Yes
PC - LAN Rem - 10.51.50.1 - No

stephenw10

That looks like the expected results. In all cases it can only ping the local tunnel IP.

You need pass rules to allow anything else. So you want the server side PC to be able to ping the remote LAN you need a pass rule for that traffic on the remote OpenVPN interface.

mrwildbob

@stephenw10 I have created a pass all rule on the OpenVPN interface at the client side. Im still having the same results. Is there a way to track a ping to its destination? Where can I find information on the firewall that would help me troubleshoot this?

stephenw10

Yes, check the states in Diag > States at the client side.

The client may be missing a route back to the server side LAN subnet.

The ping target on the client LAN may be rejecting pings from the server side subnet.

mrwildbob

@stephenw10 I have good news and I have bad news. The good news is that I got everything working. The bad news is I don't know what I did. LOL

Thanks for your help. I did check out the things you mentioned and I must have accidentally changed something. If I figure it out, I will post what I think I did.