1.2.3 RC1: OpenVPN Filtering

KoalaTNR

Hello,

i've updated to PFSense 1.2.3 RC1. I try filter traffic via OpenVPN.

I've checked 'Disabled all auto-added VPN rules' in 'System->Advanced'.
I've added the new Tun0-Device to Opt5. I added a new Rule to allow all Trafic
on this new Interface. But nothing will allowed.

Do I need to activate Opt5 and set an IP-Address explictly in 'Interfaces -> Opt5'? The Address Pool
for my tunnel is 192.168.202.0/24.

Or what is wrong?

Please help.
Thomas

jimp

Yes, you need to enable the Opt interface, and configure an IP. DHCP may work, I haven't tried. It seems to ignore the IP in favor of what OpenVPN configures.

It's kind of clunky though, overall. If OpenVPN stops and restarts, I think you'll need to reapply the firewall rules. You may want to try that a couple times and see how it works for you.

ndelong

I can confirm the following works in 1.2.3-RC1 (haven't tried the snapshots):

• Go to Settings > Advanced and check "Disable all auto-added VPN rules".
• Go to Interfaces > Assign and create the OPTx interface for your tunX OpenVPN interface.
• Go to Interfaces > OPTx (you just created) and assign an IP. I typically use the IP address that OpenVPN defaults to when you first create your VPN (x.x.x.1). I've used both /24 and /32 as the subnet with success. I agree with jimp that you could probably put anything in here.
• Create rule(s) for your OPTx interface.
• Restart OpenVPN service associated with the new tunX (OPTx) interface.
• When making changes to OPTx rules, be sure to disconnect and reconnect clients after clicking "Apply Settings".
• When making changes to the OPTx interface (even to update it's name), restart the associated OpenVPN service.

Would it be possible (or does something already exist) where we can force an OpenVPN restart on "Apply Settings"?

Regards,

Nate D.

strafelife

Is this the new way to do with 1.2.3+ going forward?  I am setting up a site-to-site vpn in the traditional sense, and although the tunnel comes up, routing is getting block for clients on either side of the tunnel.  I verified all configs several times (a very simple setup using a shared key).  The routing table is correct, openvpn options set.  This used to work prior to 1.2.3… I am guessing that configuring the interfaces and creating some allow rules is what is needed.  Anyone else experience this?

jimp

@strafelife:

Is this the new way to do with 1.2.3+ going forward?  I am setting up a site-to-site vpn in the traditional sense, and although the tunnel comes up, routing is getting block for clients on either side of the tunnel.  I verified all configs several times (a very simple setup using a shared key).  The routing table is correct, openvpn options set.  This used to work prior to 1.2.3… I am guessing that configuring the interfaces and creating some allow rules is what is needed.  Anyone else experience this?

The filtering is not required, and would only happen if you assigned the interface as was done by hand using instructions from this thread.

If you did not assign the tun0 interface yourself as others have done here,you have a different problem and should start a new thread for your issue.

XZed

Hello,

about this topic, i just want to know something :

when i setup openvpn + iptables on a classic install (not pfsense…example : debian setup) :

i can do the following :

the range 10.8.0.0 just can browse the local network

the range 10.8.1.0 can "go outside to internet" by the openvpn gateway

this OPT config will permit me to make this type of filtering ?

Indeed, i have two users types :

• ones that only has to work on servers via vpn

• others that also need to surf on internet

for the two, i apply the "push redirect-gateway def1" directive.

And i fear to block the second group if i go on openvpn/pfsense.

Sincerely

XZed

I don't managed to do it within pfSense…

But i'm lucky and, hopefully, it's enough for my needs :

my pfSense box is behind a main gateway.

In this main gateway, i could filter the openvpn range to block the internet browsing since this range....

But, i have other pfSense boxes with the port WAN directly connected behind the DSL modem.... and really don't know how to do it in this situation...

Thank you,

Sincerely,

XZed

one detail :

i could do this because the openvpn traffic goes out by the wan interface and, at the main gateway level, i could block the openvpn range…

well, it works...

but i can't understand the pfsense faq (well i know that anyone has to rtfm a lot before posting  ;D ) :

"For OpenVPN if you want the OpenVPN subnet NAT'ed to WAN, you will have to use AON."

I never enabled AON and the openvpn traffic automatically want out via WAN (what permitted me to block the openvpn range ate the main gateway)…

Or perhaps i didn't understand what the faq wanted to mean  ;)

Sincerely,

GruensFroeschli

The automatic NAT rules:
NAT all private subnets which are directly reachable (local NICs) or defined via a static route, to the WAN.
Except for OpenVPN.

If you want to access the internet over the OpenVPN connection via the pfSense, you need to NAT the OpenVPN subnet to the WAN.
This doesnt happen automatically, so you need to create a rule manually.

What you describe:
You have another router in front of the pfSense which does the NATing for you.

XZed

Let me verify that i've well understood :

by default, any openvpn traffic can't go outside via the wan….

i've managed it because of the main gateway, plugged to the wan port, doing it for me ??

two last points :

• in a classic configuration (pfsense wan => isp modem), i can do it but need to enable AON (and if i undestood the documentation, enabling AON impacts all the rest and i need to manually edit outbound nat for each traffic ?)  ?

• in pfSense 2.x : an openvpn interface will appear (as ipsec and pptp have), won't it ? if so, no more need to enable AON (well, playing a little with fw rules on the openvpn interface) ?

Thank you very much for this explanation,

Sincerely,

pakjebakmeel

This is great news, I was desperate for OpenVPN filtering. Only issue is when I add the interface described in step 2 the DHCP service stops and refuses to start. After a short while I get the message "XML error: OPTXXXX at line 123 cannot occur more than once" when opening the webinterface and I'm locked out until I manually modify the XML file and remove the interface.

any thoughts? I'm running pfSense-1.2.3-4g-20090721-2324-nanobsd.img.gz on ALIX.

UPDATE, I've tried this again and it seems to be working now. GREAT STUFF

GLR

To be stickyed !

jimp

@ndelong:

• Go to Interfaces > OPTx (you just created) and assign an IP. I typically use the IP address that OpenVPN defaults to when you first create your VPN (x.x.x.1). I've used both /24 and /32 as the subnet with success. I agree with jimp that you could probably put anything in here.

You should actually set this to "none" here instead. It's a shortcut that will just not assign an IP, instead of using an invalid one.