Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Isolating OpenVPN Network

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      Nikolay_Zhelev
      last edited by

      Hi guys,

      I've got 3 OpenVPN servers. I would like to isolate one of the servers from my LAN and WebConfigurator. This server will be for foreign clients.

      Is there any easy way I can isolate only one OpenVPN server from my LAN and WebConfigurator? However I would like all foreign clients to be able to access internet trough the VPN tunnel.

      I'm looking forward to hearing from you.

      Regards,
      Nick

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Firewall rules on the OpenVPN Tab and/or the OpenVPN assigned interface tab.

        Block local assets, pass any (the internet).

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • N Offline
          Nikolay_Zhelev
          last edited by

          Hi Derelict,

          Thanks for your quick reply! Other 2 VPN Servers are using the same interface. Wouldn't that be a problem?

          Regards,
          Nick

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Either assign an interface to that OpenVPN instance or block sourced from that tunnel network.. or both.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • N Offline
              Nikolay_Zhelev
              last edited by

              Thanks Derelict.

              Took me ages to de-cypher your advise, but that's because it's been long time since I haven't created/edited any firewall rules.

              I'm wondering, if I block all sourced traffic, I'll loose internet connectivity as well, because all packets to my WAN are sourced from my OpenVPN, am I right?

              What I did is introducing the following 4 rules:

              1. Protocol IPV4 TCP Source LAN net Port * Destination 192.168.10.0/24 [That's the VPN network I'm trying to isolate] Port * Gateway * - with this rule I boock all packets from LAN to my isolated OpenVPN network.
              2. Protocol IPV4 TCP Source 192.168.10.0/24 Port * Destination LAN net Port * Gateway * - with this rule I block all packets from the isolated OpenVPN to LAN
              3. Protocol IPV4 * Source 192.168.10.0/24 Port * Destination OPENVPN net Port * Gateway * - with this rule I block all packets from isolated OpenVPN to other VPN networks
              4. Protocol IPV4 * Source * Port * Destination * Port * Gateway * - allow all traffic

              Do those rules make sense? Can you please advise if I'm missing something.

              Regards,
              Nick

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                @Nikolay_Zhelev:

                Thanks Derelict.

                Took me ages to de-cypher your advise, but that's because it's been long time since I haven't created/edited any firewall rules.

                I'm wondering, if I block all sourced traffic, I'll loose internet connectivity as well, because all packets to my WAN are sourced from my OpenVPN, am I right?

                What I did is introducing the following 4 rules:

                1. Protocol IPV4 TCP Source LAN net Port * Destination 192.168.10.0/24 [That's the VPN network I'm trying to isolate] Port * Gateway * - with this rule I boock all packets from LAN to my isolated OpenVPN network.

                All TCP packets, anyway, assuming it is on the LAN interface.

                2. Protocol IPV4 TCP Source 192.168.10.0/24 Port * Destination LAN net Port * Gateway * - with this rule I block all packets from the isolated OpenVPN to LAN
                3. Protocol IPV4 * Source 192.168.10.0/24 Port * Destination OPENVPN net Port * Gateway * - with this rule I block all packets from isolated OpenVPN to other VPN networks
                4. Protocol IPV4 * Source * Port * Destination * Port * Gateway * - allow all traffic

                Impossible to say since you didn't say what interfaces those rules are on.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • N Offline
                  Nikolay_Zhelev
                  last edited by

                  Sorry, I forgot to specify. I have 3 interfaces: WAN, LAN and OpenVPN. All the rules above apply to OpenVPN interface only.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    You need a better grasp regarding what firewall rules should go where:

                    https://doc.pfsense.org/index.php/Firewall_Rule_Basics

                    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.