VPN Naming Labels

xxGBHxx

Hi,

I've searched a few times but never found a definitive answer so apologies if it's been answered before.

I have an OpenVPN Server and an OpenVPN client defined.

The client connects to a commercial VPN provider. The Server provides remote access to my network. It all works perfectly fine.

In the Firewall>Rules tab I have 2 different tabs. The first is "VPN" the second is "OpenVPN".

The "OpenVPN" tab has a single rule which has a description "OpenVPN wizard" which is effectively an "any/any" rule through this interface from any internal subnet
The "VPN" tab has the exact same rule applied by me but without the description.

In the Interfaces tab, I have

"VPN" mapped to ovpnc1 ()
"Opt5" mapped to ovpns2 ()

Obviously "VPN" is the client and "Opt5" is the server.

So after that brief explanation, what is the different between "VPN" and "OpenVPN" in the Firewall>Rules tab?

I also have another question relating to rule enumeration which I will post int he appropriate forum.

Thanks

G

GruensFroeschli

VPN ist the assigned interface. You can create rules specific for this openvpn instance.
OPENVPN is an interface-group containing all openvpn instances.

xxGBHxx

@GruensFroeschli:

VPN ist the assigned interface. You can create rules specific for this openvpn instance.
OPENVPN is an interface-group containing all openvpn instances.

Huge thanks for the prompt response.

So why when I go into Interfaces>Assign>Interface Groups is it empty?

If "OpenVPN" is an interface group (which I'm not doubting you is true) then which set of rules is matched first, the "VPN" interface one or the "OpenVPN" interface group one?

Thanks

G

GruensFroeschli

The group is behind the scene.
Most people are probably not running multiple servers/clients at once.

Regaring the rule flow:
More specific > less specific

jimp

To clarify:

The OpenVPN group is an automatic/hidden interface group. ALL OpenVPN instances are covered by this group, even ones that are assigned.

Rules from the group tab are processed before rules from the individual tab; If you have an allow all rule on the group tab, your assigned tab rules will never be used.

So if you want to make sure that your assigned VPN tab rules are used, fix your group tab rules such that they will not match traffic that would pass over the assigned VPN.

GruensFroeschli

Thanks for the clarification.
For me the easiest rule to follow is:
If you have more than one instance, assign all instances and don't use the openvpn tab.