Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help me understand OpenVPN Interfaces and Firewall Rules

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 436 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      powerextreme
      last edited by

      Hello,

      I have several site-to-site VPN's setup where my pfSense is the server. I also have it serving as a client to PIA. I basically just followed the online instruction while not knowing what I was actually doing. Now I want to know.

      For my PIA client I created the client in open VPN and then had to assign an interface for it. I just realized I have no rules on that interface yet I am able to send traffic through it by using it as the gateway for the LAN. Why is this possible? Shouldn't the traffic be blocked since I defined no rules for the interface

      Screen Shot 2020-07-25 at 5.54.37 PM.png

      Under firewall rules, there is an OpenVPN tab. I have been using this tab to control traffic from my remote sites to my their respective openVPN servers on my pfsense.
      Why didn't I have to create an interface and respective firewall rules for those openvpn servers? When I go to "Assign Interfaces" they show up as available ports.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • chpalmerC
        chpalmer
        last edited by

        It is not necessary to define any interfaces for an OpenVPN instance except maybe for a service such as PIA.. I never have myself though others have. If you have the "traffic graphs" on your dashboard then those interfaces would show up there. So that might be a reason for some. I really dont care to watch the graphs from all my VPNs.

        Rules on an interface are for traffic entering that interface. So if you want people on the other side of your PIA connection to have access then you would have to build rules. If not then treat it like your default WAN.

        Triggering snowflakes one by one..
        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

        1 Reply Last reply Reply Quote 0
        • P
          powerextreme
          last edited by

          @chpalmer Thanks. So the OpenVPN tab on firewall rules services all VPN instances (client and server)? To include, the PIA?

          If so, I shouldn't have an Any<-> Any rule on that tab? I don't want random people accessing my network from PIA.

          If I create an interface for an OpenVPN instance (ovpns or ovpnc) will Firewall on that interface tab rules supersede the ones on the OpenVPN tab?

          Bob.DigB 1 Reply Last reply Reply Quote 0
          • Bob.DigB
            Bob.Dig LAYER 8 @powerextreme
            last edited by Bob.Dig

            @powerextreme

            Filtering with OpenVPN

            When the OpenVPN interface is assigned, a tab is present under Firewall > Rules dedicated to only this single VPN. These rules govern traffic coming in from the remote side of the VPN and they even get the pf reply-to keyword which ensures traffic entering this VPN interface will exit back out the same interface. This can help with some more advanced NAT and configuration scenarios.

            Note

            Rules added here are processed after the OpenVPN tab rules, which are checked first. In order to match the rules on an assigned VPN tab, the traffic must not match any rules on the OpenVPN tab. Remove any “Allow All” style rules from the OpenVPN tab and craft more specific rules instead.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.