Best practice block local users from accessing VPN
-
I have a few windows users and their openvpn client auto-reconnects when they come to the office. Both the office firewall and OpenVPN server are the same pfSense installation.
It's a little thing but it bugs me that they are going from Client LAN -> My Public IP -> OpenVPN -> Internet instead of just connecting to the internet from the Client LAN.
It would be easy to block access to our public IP and and port from the client lan but I'm curious if there's a better way to do it (either in pfSense or OpenVPN config).
Thanks
-
In the OpenVPN server config, there setting for which interface listens for connections. That should be set to WAN.
-
@JKnott said in Best practice block local users from accessing VPN:
In the OpenVPN server config, there setting for which interface listens for connections. That should be set to WAN.
It is set to WAN, but they are hitting the WAN address through NAT reflection (I think). NAT Reflection mode for port forwards is set to "Pure NAT" but I'm not sure if applies since OpenVPN isn't a port forward as much as a local daemon.
I don't have any other reflection enabled.
Thanks
-
Perhaps you cancreate a rule to block access from the LAN. You'd put it on the LAN interface, to block going to the WAN address.
-
@JKnott said in Best practice block local users from accessing VPN:
Perhaps you cancreate a rule to block access from the LAN. You'd put it on the LAN interface, to block going to the WAN address.
That was my plan I just wanted to know if there was a more recommended way before I did.
I'll do that.
Thanks
-S
