Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using aliases for network/ip tunneling over OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Nono_
      last edited by

      Hi there,

      I've configured OpenVPN to let me access part of our LAN (some /24) but also some external IP (/32) only accessible from the WAN IP of the PFSense (what I call, tunneling over OpenVPN).
      To make it works, I thought about adding specific routes (/32) and add a specific NAT Outbound for those external IPs.

      Would that be possible somehow to do this (aka, tunneling some -and not all- external IP, over the VPN), using aliases ?
      Therefor, I won't have to edit :

      1. The list of IPv4 Local Network/s on the OpenVPN client override (for each user)
      2. The NAT Outbound

      For all external IP ?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        You can do that, but you cannot use aliases in the OpenVPN settings.
        In the "IPv4 Local Network/s" box you have to enter networks in CIDR notation solely. E.g. "10.85.22.0/24,1.1.1.1/32,2.2.2.2/32"

        You may use aliases including all IPs or networks a user (group) is permitted to access over the VPN in firewall rules. Then you can set the source in the outbound NAT rule to your whole VPN tunnel network.

        N 1 Reply Last reply Reply Quote 0
        • N
          Nono_ @viragomann
          last edited by

          @viragomann
          This is basically what I'm doing :
          on "IPv4 Local Network/s" i'm adding the x.x.x.x/32
          and as nat outboud rule :
          Interface: WAN
          Source: any ("this firewall" doesn't work)
          Destination: Network (the same x.x.x.x/32)

          => It works, but that means that for every new IP I should edit :
          every user config file (Yeah, I can't change that on the server config, not every user have the same access rights)
          But also
          adding a new NAT Outbound rules (as well there, aliases isn't possible).

          But I honestly didn't get how the permission per group/user may works on this case ? Can you explain ?

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Above you mentioned to add CSO for each user. By that you can control the virtual IP addresses the user get.
            So if you have two user groups which should get different permissions you can assign group 1 the tunnel network 10.10.22.0/26 und group 2 10.10.22.64/26. Then you may use that subnets in your firewall rule as source networks to control access of each user group.

            As well you can set "IPv4 Local Network/s" in the CSO.

            These settings are pushed to the clients. So there is no need to edit the client config files.

            In the outbound NAT rule, if you want restrict, you can use aliases by selecting Network and enter the alias into the network box.
            However, as mentioned, if you restrict access in the firewall rule already there is no need to do that in the outbound NAT additionally.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.