Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Firewall Rules Advice

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      InsaneNutter
      last edited by

      I have setup an OpenVPN server on pfSense, the IPv4 Tunnel Network I have told OpenVPN to use is 192.168.3.0/24

      This works and I can connect to the VPN from a remote location, however I can access any host on any of the interfaces below:

      LAN = 192.168.1.0/24
      DMZ = 192.168.2.0/24
      VPN = 192.168.3.0/24

      This might be where I have gone totally wrong from this point, so any advice is appreciated.

      I assigned ovpns1 (the Virtual OpenVPN interface) to a new OPT interface called VPN (192.168.3.0).

      Now i can assign firewall rules on this VPN interface, however these are ignored by VPN clients.

      I've noticed I can create rules on both VPN and OpenVPN:

      If i create a firewall rules on the virtual "OpenVPN" interface, for example block VPN net from accessing DMZ net, the rule will apply to VPN clients.

      It seems strange I have to assign the ovpns1 to an OPT interface, to then create firewall rules on the ovpns1 using the VPN OPT interface to base the rule on (See the test rule in the screenshot above)

      I'm wondering is this how it's supposed to work, or have i gone wrong somewhere?

      Thanks for any advice.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        The OpenVPN tab is, under the hood, just an interface group containing all OpenVPN instances - all servers and all clients. You can use it to generally control traffic into your firewall from OpenVPN. You cannot, however, get special things like reply-to, which automatically sends reply traffic back out the interface into which it arrived because it is not an interface, but a group.

        If you assign an interface to an OpenVPN server or client, the rules there apply ONLY to that server or client and you get magic things like reply-to. You can also use it to perform outbound NAT, policy route to it (because the assigned interface has a matching gateway), etc.

        If you want to take advantage of this, the rules on the OpenVPN tab must NOT match the traffic you are interested in because they are processed first and first match controls.

        I generally delete all rules on the OpenVPN tab when I start using assigned interfaces.

        If you want more information I suggest a gold membership and the included OpenVPN hangouts and pfSense book.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.