Restrict RA user traffic
-
Greetings,
I have configured OpenVPN Remote Access (RA) service in my pfSense cluster with "IPv4 Tunnel Network" 10.99.99.0/24. I tested this VPN with the user I have, all works just fine: I obtain 10.99.99.2/24 address and received specifics from the tunnel, VPN traffic works fine.
MacBook:~ jamal$ netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.2.1 UGSc 111 0 en0 10.0.11/24 10.99.99.1 UGSc 0 0 utun1 10.1/16 10.99.99.1 UGSc 0 0 utun1 10.99.99/24 10.99.99.2 UGSc 3 0 utun1 10.99.99.2 10.99.99.2 UH 1 0 utun1 127 127.0.0.1 UCS 0 0 lo0
Then I decided to restrict a user called "vpnuser" with a certain IPs he can access. For that purpose in a "Client Specific Overrides" tab I created an entry with "vpnuser" as a CN and "IPv4 Tunnel Network": 10.99.99.100/30. Then I was going to create an Firewall Rule in "OpenVPN" tab to restrict the user matching its source IP. But when I tested a "vpnuser" access I obtained 10.99.99.100 IP address on utun1 interface, but taffic ain't passed a tunnel:
MacBook:~ jamal$ netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.2.1 UGSc 113 0 en0 10.0.11/24 10.99.99.1 UGSc 0 0 en0 10.1/16 10.99.99.1 UGSc 0 0 en0 10.99.99.100 10.99.99.100 UH 0 0 utun1 127 127.0.0.1 UCS 0 0 lo0 MacBook:~ jamal$ ping 10.0.11.3 PING 10.0.11.3 (10.0.11.3): 56 data bytes ping: sendto: Network is unreachable ping: sendto: Network is unreachable Request timeout for icmp_seq 0
I think the problem is in local routing, what could be a reason of such issue? If I delete "Client Specific Overrides" entry for vpnuser I obtain address from 10.99.99.0/24 subnet and ping goes well.
-
@shshs - try changing the tunnel network on the client override to 10.99.99.100/24. If you mask /30 I don't think you'll be able to reach the tunnel gateway at 10.99.99.1.
-
I setup network type as "net30" instead of "subnet" and all works. Thank you, you can close the thread.