• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Help me understand OpenVPN Interfaces and Firewall Rules

Scheduled Pinned Locked Moved OpenVPN
4 Posts 3 Posters 408 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    powerextreme
    last edited by Jul 25, 2020, 9:57 PM

    Hello,

    I have several site-to-site VPN's setup where my pfSense is the server. I also have it serving as a client to PIA. I basically just followed the online instruction while not knowing what I was actually doing. Now I want to know.

    For my PIA client I created the client in open VPN and then had to assign an interface for it. I just realized I have no rules on that interface yet I am able to send traffic through it by using it as the gateway for the LAN. Why is this possible? Shouldn't the traffic be blocked since I defined no rules for the interface

    Screen Shot 2020-07-25 at 5.54.37 PM.png

    Under firewall rules, there is an OpenVPN tab. I have been using this tab to control traffic from my remote sites to my their respective openVPN servers on my pfsense.
    Why didn't I have to create an interface and respective firewall rules for those openvpn servers? When I go to "Assign Interfaces" they show up as available ports.

    Thanks!

    1 Reply Last reply Reply Quote 0
    • C
      chpalmer
      last edited by Jul 25, 2020, 10:08 PM

      It is not necessary to define any interfaces for an OpenVPN instance except maybe for a service such as PIA.. I never have myself though others have. If you have the "traffic graphs" on your dashboard then those interfaces would show up there. So that might be a reason for some. I really dont care to watch the graphs from all my VPNs.

      Rules on an interface are for traffic entering that interface. So if you want people on the other side of your PIA connection to have access then you would have to build rules. If not then treat it like your default WAN.

      Triggering snowflakes one by one..
      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

      1 Reply Last reply Reply Quote 0
      • P
        powerextreme
        last edited by Jul 26, 2020, 5:24 PM

        @chpalmer Thanks. So the OpenVPN tab on firewall rules services all VPN instances (client and server)? To include, the PIA?

        If so, I shouldn't have an Any<-> Any rule on that tab? I don't want random people accessing my network from PIA.

        If I create an interface for an OpenVPN instance (ovpns or ovpnc) will Firewall on that interface tab rules supersede the ones on the OpenVPN tab?

        B 1 Reply Last reply Jul 26, 2020, 5:38 PM Reply Quote 0
        • B
          Bob.Dig LAYER 8 @powerextreme
          last edited by Bob.Dig Jul 26, 2020, 5:39 PM Jul 26, 2020, 5:38 PM

          @powerextreme

          Filtering with OpenVPN

          When the OpenVPN interface is assigned, a tab is present under Firewall > Rules dedicated to only this single VPN. These rules govern traffic coming in from the remote side of the VPN and they even get the pf reply-to keyword which ensures traffic entering this VPN interface will exit back out the same interface. This can help with some more advanced NAT and configuration scenarios.

          Note

          Rules added here are processed after the OpenVPN tab rules, which are checked first. In order to match the rules on an assigned VPN tab, the traffic must not match any rules on the OpenVPN tab. Remove any “Allow All” style rules from the OpenVPN tab and craft more specific rules instead.

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received