Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block local openVPN connections

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 4 Posters 2.4k Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      adelphi
      last edited by

      I noticed that several collegues don’t disconnect their openVPN client (lazy guys!) when they arrive at the office. Therefore the traffic to local servers is unnecessarily routed through the pfsense, because the TAP Adapter has the highest priority in windows.
      My old router (IPCOP) did block local VPN connection by default.

      I’ve tried to create a firewall rule to block local access, but it didn’t work:
      WAN Rule
      Action: Block
      Interface: WAN
      TCP/IP Version: Ipv4
      Protocol: UDP
      Source: LAN net
      Destination: WAN address
      Destination Port range: 1195 (our VPN port)

      What am I doing wrong?

      Best,
      Daniel

      1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann
        last edited by

        I think, you will use Outbound NAT. So the clients have the IP address your outbound NAT rule assignes to the outgoing connections.
        So replace the source address in your rule with the outbound NAT address to block these connections.

        1 Reply Last reply Reply Quote 0
        • K Offline
          kpa
          last edited by

          Put the rule on the LAN interface instead of WAN. The connections are coming in from the LAN interface and it's not possible to block them using WAN rules because the traffic is arriving to the WAN interface from the "inside" and not from the internet.

          1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann
            last edited by

            @kpa:

            because the traffic is arriving to the WAN interface from the "inside" and not from the internet.

            Thanks for correction. I haven't considered.

            1 Reply Last reply Reply Quote 0
            • A Offline
              adelphi
              last edited by

              @viragomann:

              I think, you will use Outbound NAT. So the clients have the IP address your outbound NAT rule assignes to the outgoing connections.
              So replace the source address in your rule with the outbound NAT address to block these connections.

              I assume the "outbound NAT address" is equal to the "WAN address"?

              @kpa:

              Put the rule on the LAN interface instead of WAN. The connections are coming in from the LAN interface and it's not possible to block them using WAN rules because the traffic is arriving to the WAN interface from the "inside" and not from the internet.

              I tried (directly below the "Anti-Lockout rule"):

              Action: Block
              Interface: LAN
              TCP/IP Version: Ipv4
              Protocol: UDP
              Source: WAN address
              Destination: WAN address
              Destination Port range: 1195 (our VPN port)

              and also

              Action: Block
              Interface: LAN
              TCP/IP Version: Ipv4
              Protocol: UDP
              Source: LAN net
              Destination: WAN address
              Destination Port range: 1195 (our VPN port)

              But the clients are still able to connect to the openVPN Server within the LAN.

              Any ideas?

              W 1 Reply Last reply Reply Quote 0
              • A Offline
                adelphi
                last edited by

                Just for reference: After updating to v2.2.2 I was able to block local openVPN access with the same rules described in previous post. Therefore it seems to be an issue of the 2.1 release.

                Problem solved.

                1 Reply Last reply Reply Quote 0
                • W Offline
                  WhitePhantom @adelphi
                  last edited by WhitePhantom

                  @adelphi

                  Sorry for bumping such an old topic, but it's very relevant.

                  I can't understand why your method didn't work for me, as it makes perfect sense. It's even weirder that what I came up with did work. After firewall rules failed to achieve the desired result, I tinkered elsewhere. Here is a NAT Port Forward rule that achieved the same goal.

                  Interface: LAN
                  Protocol: UDP
                  Source: Any (this is default)
                  Source Port: Any (this is default)
                  Destination: WAN address
                  Destination port range: 1196 (our VPN port)
                  Redirect target IP: Random private IP address that is NOT part of your LAN network. I used 192.168.1.254, but our LAN network is 192.168.21.0 / 24
                  Redirect target port: I just chose a random port. 45534

                  I was surprised that it even let me create this rule, but doing so made it so people who are connected to the LAN can no longer connect to the OpenVPN server while people connecting to the VPN from outside the office are unaffected.

                  1 Reply Last reply Reply Quote 0
                  • F fazambuja referenced this topic on
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.