OpenVPN Firewall/tun Question
-
I have OpenVPN configured, which automatically creates a "OpenVPN" tab under firewall rules. However, there's no option for "OpenVPN subnet" or "OpenVPN address" under the source or destination drop down menu, which confuses me a bit. I generally would make rules like:
Allow tcp/udp OpenVPN subnet !Local_Subnets...but again, "OpenVPN subnet" isn't an option.
Currently, I'm thinking of the tunnel network as 'just another VLAN/subnet". Is that inaccurate?
- If not, are there limitations to the tunnel network that regular VLANs don't have?
- Would the simple solution be to create an alias for the subnet that I defined for the tunnel network?
- Should I create a new VLAN and bridge the OpenVPN connection to that new VLAN? Are there any security risks with this method?
-
@CoffeeOrTea said in OpenVPN Firewall/tun Question:
I have OpenVPN configured, which automatically creates a "OpenVPN" tab under firewall rules.
"OpenVPN" in this context is an interface group. It includes all your enabled OpenVPN instances on pfSense, both servers and clients.
If can get a certain interface for an instance by assigning one. Interfaces > Assignments.
Under "available network port" you will find your unassigned OpenVPN instances, e.g. ovpns1. Select it and hit add, open the interface and enable it and save. Nothing else to configure.
Then you get an alias for the address and subnet.However, this is only required for policy routing traffic to the remote site, but you can also do it for an access server.
Otherwise a manually created alias, which includes the tunnel pool would also be option for your aims.
-
@viragomann said in OpenVPN Firewall/tun Question:
"OpenVPN" in this context is an interface group.
In my case it wasn't. At the time I made this post, I didn't realize that you could assign an interface to OpenVPN. I eventually did, which added a 2nd tab to the firewall rules area, so now I have two OpenVPN tabs in the firewall rules area. The documentation states:
Rules on assigned OpenVPN interface tabs are processed after rules on the OpenVPN tab.
So now, I'm trying to understand the nuances of this and figure out how to best create rules. It's still somewhat confusing to me. For example, if I have no rules at all on the OpenVPN tab, but then add a rule to allow WAN traffic on the OpenVPN interface tab, I don't get WAN access. I've also tried adding a rule to on the OpenVPN tab to pass traffic to the OpenVPN interface, which still doesn't give me WAN. But if I allow WAN on the OpenVPN tab, then it works.
Anywho, I'll keep playing with it and hopefully it'll make more sense.
-
@CoffeeOrTea said in OpenVPN Firewall/tun Question:
At the time I made this post, I didn't realize that you could assign an interface to OpenVPN. I eventually did, which added a 2nd tab to the firewall rules area, so now I have two OpenVPN tabs in the firewall rules area
pfSense show particular interfaces on the rules page in upper-case letters. So I'd expect, that it is rather shown as "OPENVPN" there in addition to OpenVPN, wich is the interface group.
if I have no rules at all on the OpenVPN tab, but then add a rule to allow WAN traffic on the OpenVPN interface tab, I don't get WAN access.
But if I allow WAN on the OpenVPN tab, then it works.So you presumably did something wrong.
OpenVPN is just the interface group and the interface is a member of it.
Note that rules on interface groups have priority over ones on member tabs.