• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVpn clients access rules

Scheduled Pinned Locked Moved OpenVPN
4 Posts 2 Posters 494 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    LukasH
    last edited by Jan 15, 2024, 9:11 PM

    Hello,
    I used so far pretty simple setup for my OpenVPN network. Let's say I have two LANs accessible from VPN and two other clients that access the LANs.
    I have both remote LANs at OpenVPN server setting and I allowed Inter-client communication. So far no issue but I didn't like that a new computer on one of the remote LAN can access the other LAN and also I would like to manage now the access to remote LANs from different clients connected to the OpenVPN server.
    e221afa0-e139-4ba3-8831-9758c4e4b073-image.png
    I am trying to have this setup with client-specific overrides but so far I am not able to access any remote LANs from another client.
    Client AA can access both remote LANs (A,B) and client BB can access only site B.
    I have an OpenVPN firewall rule to allow all communication.
    Can you please direct me to accomplish this?

    Thank you very much for any response.

    V 1 Reply Last reply Jan 15, 2024, 11:21 PM Reply Quote 0
    • V
      viragomann @LukasH
      last edited by Jan 15, 2024, 11:21 PM

      @LukasH
      First of all, you should better use Private network ranges for both, internal networks and VPN tunnels to avoid issues with accessing public sites.

      The "Remote Networks" field in the client specific overrides is meant to state networks behind the respective client.
      Anyway, I'd suggest to not state the local networks in the CSO.

      However, you need such CSO for the sites A and B. Here you have to enter the respective clients local into the "Remote Network" box.

      And in the server settings you need to enter both local network into the "Local Networks" box to push the routes to the clients.

      For limiting access use the CSO to assign static IPs to the clients and add proper firewall rules.
      Remove the check at "Inter-client communication".

      L 1 Reply Last reply Jan 16, 2024, 10:24 AM Reply Quote 0
      • L
        LukasH @viragomann
        last edited by Jan 16, 2024, 10:24 AM

        @viragomann
        Hi, I tried exactly (at least I think) what are you describing here. But with no success.

        Server OpenVPN:

        • tunel network: 10.10.0.0/24
        • local networks: (site A)10.10.10.0/24, (site B)10.10.11.0/24
        • uncheck "Inter-client communication"

        Client A CSO:

        • tunel ip: 10.10.0.100
        • local network: 10.10.10.0/24

        Site A CSO:

        • tunel ip: 1010.0.2/24
        • remote network: 10.10.10.0/24

        OpenVPN FW rules:

        • allow all protocols and IPs for this moment, for OPT1 (tunnel network) as well.

        I can see traffic in the firewall rule, to reach site (A), but there is no response from the site.
        This setup functions only with the "Inter-client communication" option check.
        b93ea8d8-5ff6-4acb-96c2-6cb0f8280634-image.png
        Here is the client A reaching to site A device.

        I will do better with local IPs in the future thanks.

        V 1 Reply Last reply Jan 16, 2024, 11:31 AM Reply Quote 0
        • V
          viragomann @LukasH
          last edited by Jan 16, 2024, 11:31 AM

          @LukasH
          With Inter-client communication enabled, pfSense cannot filter the traffic, because it doesn't enter the interface.

          1 Reply Last reply Reply Quote 0
          3 out of 4
          • First post
            3/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received