Using Open VPN service on XG-7100, prevent LAN clients connecting
-
I have a funny issue. If I attempt to connect to the VPN endpoint on the firewall, from inside the LAN, I am not rejected. Is this normal for Open VPN, what did I miss? I thought about a firewall rule, but the Open VPN interface is not an option for source or destination.
-
Please rephrase your question. It doesn't make any sense.
If you have an OpenVPN server listening on the WAN it is not designed to be connected to from the inside. It is designed to be connected to from the outside.
-
@Derelict You're right it doesn't make any sense. I've never worked with a VPN endpoint that allows internal connections.
I am using the Open VPN service on the XG-7100, VPN/Open VPN menu. The firewall is hosting the VPN server via the built in service. And yes, it allows connections from inside. Don't ask me how, because that's what I'm asking you.
-
Why connect from the inside? Why not just route the traffic?
You can do it but if you are looking to be connecting from the inside, the network you are connecting from can't be one of the networks you expect to access over the VPN.
You will see the same problems connecting from a remote site that uses the same IP numbering scheme as the protected network.
So give more details:
Subnet and IP address you are connecting from
Subnet you expect to be routing over the VPN (The Local Networks in the server)
The host IP address you are having trouble accessing.It is completely normal to be able to connect to services running on the WAN address from the inside. If you do not want that to happen you need to block connections to This firewall (self) on that interface. (Be sure the web gui is passed before that if you do or you will lock yourself out)
-
@Derelict To be clear, I'm trying to disable connecting from the inside. We discovered this quite by accident.
-
My expectation when using a VPN endpoint on the firewall is that this endpoint will only accept traffic inbound from the WAN interface. How do I manually restrict the traffic that the Open VPN service will accept?
-
Your expectation is erroneous.
Block the traffic on the interface(s) that are receiving the traffic you want blocked, such as the LAN interface.
A "guest" interface would look something like this:
-
@Derelict I'm not sure I've done a good job of expressing my concern. Can you repeat back to me what you understand my issue to be? I want to make sure that we are harmonized, because it seems like this should be very simple to solve.
-
Okay, so here's my beef: a VPN is designed to securely encapsulate private traffic to traverse a public network. Public and private are on opposite sides of the WAN interface. Since the Open VPN service accepts inbound connections from private interfaces, it is not working correctly.
Why does the PFSense implementation of Open VPN go against sane networking theory?
How do I stop the Open VPN from being naughty? Are you really saying I have to implement a ton of firewall rules to make the endpoint behave properly?
-
It is simple to solve. If you don't want users on an interface to connect to a service running on the firewall, make a block rule there.
-
@Derelict The endpoint should be accepting connections from private subnets by default. Why is it doing that?
-
Because that WAN address is just another IP address. You need to block traffic from the inside to it if that's what your requirements are.
-
@Derelict well, I'm not trying to block access to the WAN. I'm trying to prevent private subnets from connecting to the Open VPN service.
-
That is WAN address. That is not the internet. See the rule set I already posted.
Connections to the OpenVPN server would be blocked by the Reject Guest access to This Firewall rule.
-
If you have an OpenVPN server listening on the WAN it is not designed to be connected to from the inside. It is designed to be connected to from the outside.
Actually, that's normal. You can reach any address on the box from any interface, unless you have rules to block it. Don't forget, pfSense is a router, so if it, for example receives a packet with the WAN interface as destination, on the LAN interface, it will forward it appropriately through 0.0.0.0.
-
I know it's completely normal. It's @shapelytraffic that is having trouble grasping that concept.
-
@Derelict I saw your rules, what are you representing with "guest" network?
If I block LAN access to the WAN then I assume this will have global impact.
-
@shapelytraffic said in Using Open VPN service on XG-7100, prevent LAN clients connecting:
@Derelict To be clear, I'm trying to disable connecting from the inside. We discovered this quite by accident.
That behaviour is normal. If you don't want it, create a rule on the LAN interface to block it.
-
No. It won't have global impact. Global addresses are not covered in any of those block rules. Traffic that is not specifically blocked will be passed to the internet by the bottom rules passing traffic to destination any. Guest Network in that example is the IP network of the GUEST interface.
-
@JKnott my issue is that any other router on the market which provides a VPN endpoint and client install will only accept client traffic from the public side of the WAN. You cannot go in through the outdoor, as it were. So, if this is "a feature" then I ask, why is it that the feature goes against networking standards? But also, do I really need to implement a ton of firewall rules to make the endpoint behave?
-
@shapelytraffic said in Using Open VPN service on XG-7100, prevent LAN clients connecting:
Why does the PFSense implementation of Open VPN go against sane networking theory?
It's not against sane networking theory. PfSense is a router. When it receives a packet, it forwards it as appropriate and that includes to it's own interface addresses. There is no difference between that and any other address out on the WAN. You need to block it with a rule on the LAN interface.
-
You are making a common mistake in thinking that WAN address and WAN Network is the "internet". It isn't. Destination any is the internet. WAN address is the address currently assigned on the WAN interface. WAN Network is the subnet of the WAN interface address.
It does not go against networking standards. The rule set is doing exactly what it is being instructed to do, pass the traffic to the OpenVPN server running on WAN address. If that is not what you want, block it.
-
@shapelytraffic said in Using Open VPN service on XG-7100, prevent LAN clients connecting:
If I block LAN access to the WAN then I assume this will have global impact.
Block access only to the WAN interface address, not everything out on the WAN and beyond. That is you block that specific address and no other.
-
@Derelict what are you representing with "guest" network?
-
If you were trying to reach the LAN interface address from the WAN, you'd have to create a rule that would allow that. Going the otherway, pfSense allows all traffic from the LAN, out to the Internet, including the WAN interface address. In some other routers, such as Cisco, you'd have to create a rule just to reach the Internet.
-
Here's some info that may help:
The interface settings screen will differ based on the type of interface being dealt with. In pfSense software, the real distinction between “WAN”, “LAN” and “OPT” interfaces is blurred as they are all capable of handling any role. For historical and ease-of-use purposes, the first two interfaces are WAN and LAN. Additional interfaces start at OPT1 and are numbered from there (OPT2, OPT3, … OPTn)
As soon as you have installed pfSense, you have WAN and LAN interfaces, which are understood to have different roles. The LAN role is to pass everything to the WAN, unless specifically blocked. The WAN role is to block everything, unless specifically enabled.
Try creating a couple of OPT interfaces to get a better idea of how rules are applied.
-
@shapelytraffic said in Using Open VPN service on XG-7100, prevent LAN clients connecting:
@Derelict what are you representing with "guest" network?
The subnet of the GUEST interface. I have no idea what it was when I took that screen shot but if the GUEST interface is numbered like this:
192.168.123.1 /24
GUEST Address: 192.168.123.1/32
GUEST Network: 192.168.123.0/24 -
@JKnott This is a production unit so I don't have the luxury of experimenting.
-
So spin up a VM to experiment on. It doesn't cost anything.
-
@Derelict so, if I understand you correctly, you're saying to block private addresses on the WAN rule set to the WAN IP?
-
No. Look at the rule set I posted. The rules go on the interface the connection comes INTO the firewall on. GUEST in that example.
https://docs.netgate.com/pfsense/en/latest/book/firewall/index.html
-
@Derelict so, for each internal interface, I need to implement these rules?
-
If that is the desired effect to implement your policy, yes.
-
@shapelytraffic said in Using Open VPN service on XG-7100, prevent LAN clients connecting:
@Derelict so, if I understand you correctly, you're saying to block private addresses on the WAN rule set to the WAN IP?
One very important thing to remember is that the rules are applied to the interface, not the address. So, you have to put the rule on the interface that the packets will pass through. If you try to reach the WAN address from the LAN, the packets will pass through the LAN interface, but not the WAN interface, so the rules go on the LAN interface.
-
@Derelict I'm not certain we agree specifically what my desired effect is though. I would feel much more confident in your assistance if you would express to me what you think I'm trying to do, because in my mind it's not at all unusual. But your phrasing sounds skeptical.
-
You do not want inside hosts to be able to connect to your OpenVPN server on the WAN address.
So you need to block those connections on the inside interfaces.
I'm pretty much done here. Can only say the same thing so many times. There is a book.
-
@Derelict good on ya mate. How can I be as good as you.
-
@shapelytraffic said in Using Open VPN service on XG-7100, prevent LAN clients connecting:
@Derelict I'm not certain we agree specifically what my desired effect is though. I would feel much more confident in your assistance if you would express to me what you think I'm trying to do, because in my mind it's not at all unusual. But your phrasing sounds skeptical.
You want to keep LAN users from using the VPN. So, all you have to do is block them with a rule on the LAN interface. Also, even if they did connect it, the VPN still won't be used, because there is a direct connection that bypasses the it and that connection will always be used.
You may need to brush up on how IP works. When you try to connect to something, the computer compares the destination address with the local network address and subnet mask. If the destination is on the same network, then the packet is sent directly to the destination. Any other destination requires routing and you can't route to your own network, as you'd be doing if you passed through the VPN.
-
@JKnott thanks for taking the time to condescend. No thanks.
-
I wasn't trying to be condescending. You seemed to be having a problem understanding how it works.