Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN: How to not allow WAN traffic?

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 4 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oguruma
      last edited by

      I am looking to add a second user and allow OpenVPN access to my PFSense Box. I use the box myself and force all traffic through the VPN, however, for the second user, I would only like allow them to access LAN resources via VPN.

      In other words: "go ahead access the CIFS Shares, but don't bog down my network with your casual browsing traffic". Granted, this would only be for this specific user, the rest of the users, I would like all of their traffic to go through the VPN.

      Is this possible to set up? If so, anybody have any resources on how to do this they could point me towards?

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        https://doc.pfsense.org/index.php/OpenVPN_multi_purpose_single_server

        1 Reply Last reply Reply Quote 0
        • O
          oguruma
          last edited by

          Thanks for the reply. I found that a while ago, I guess I am still unclear as to how I would configure this to not allow WAN traffic to go through my pfsense box…

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            So what's the concrete trouble with that?

            In the OpenVPN server config ensure that you haven't set the mark at Topology, so that the server allocates a /30 subnet to each client.

            Then add a client specific override for the desired user, enter the common name which matches to the users cert. At "Tunnel Network" enter a /30 subnet which should be assigned to this user, recommended in the upper range of your servers tunnel subnet. E.g. if your servers tunnel subnet is 10.0.8.0/24, use 10.0.8.248/30.
            At "IPvX Remot Network/s" enter your LAN network(s) to push the route(s) to the client. Don't check "Redirect gateway"! If needed also enter DNS servers below. Save the settings.

            Now you can add a block rule to your OpenVPN interface to ensure the user can't route the hole traffic over vpn by himself. E.g.

            
Act      Proto           Source        Port        Destination     Port       Gateway    Queue
block      *         10.0.8.248/30      *          !LAN net         *           *        none       

            At destination check "not" and select LAN net below. Put this rule to the top of the interfaces rule set.
            So this will block access from the specified user to anything, but your LAN subnet.

            1 Reply Last reply Reply Quote 0
            • H
              heper
              last edited by

              or just don't NAT the openvpn subnet.

              1 Reply Last reply Reply Quote 0
              • M
                marvosa
                last edited by

                You essentially have two options:

                • Configure a client specific override for that one user and each future user with the same situation

                • Configure a 2nd OpenVPN server… one full tunnel and one split tunnel.  Then just export the split tunnel package when needed

                From a management overhead standpoint, I think option#2 makes more sense.  This is also the solution that I've implemented.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.