Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rules for OpenVPN Tab versus Interface Rules

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 3 Posters 946 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      powerextreme
      last edited by

      Hello,

      Recently it became clear to me that I don't fully understand what is gained from creating an interface for an OpenVPN server or client server instances (network ports).

      I have rules in the OpenVPN tab to control the traffic coming in and out of the servers.

      Under Interfaces, if I wanted to create and interface for a OpenVPN server (network port) I have the option to select one and add the interface. What does this buy me?

      One thing I have noticed is that with my SNORT service, OpenVPN isn't an interface for it to monitor. Is this one benefit?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        OpenVPN is an interface group including all OpenVPN instances you're running on pfSense, servers as well as clients.

        You need to add a specific interface to an OpenVPN instance for special functions and tasks which should not be applied to all OpenVPN instances or where the interface group doesn't fit.

        @powerextreme said in Firewall Rules for OpenVPN Tab versus Interface Rules:

        One thing I have noticed is that with my SNORT service

        Yes that's one. You also need specific interface for other services like DNS.

        Also it is necessary for policy routing rules to direct traffic to a VPN gateway.

        You also need to add an interface if you want to get benefit of the reply-to function in pfSense.

        1 Reply Last reply Reply Quote 0
        • P
          powerextreme
          last edited by

          Thanks for the response. Which takes precedence?

          A rule in the OpenVPN tab?
          A rule in an interface created for an OpenVPN instance?

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Rule on an interface group have prio over these ones on interface tabs.

            So if you assign an interface to an OpenVPN instance and add rule to it, you have to care that rule on the OpenVPN tab are not applied to the same traffic or remove all rules from it.

            P 1 Reply Last reply Reply Quote 0
            • P
              powerextreme @viragomann
              last edited by

              @viragomann
              Thanks but I don't fully understand.

              For example, if I added an interface to and had a rule to allow 'any <-> any' but had a deny all in the OpenVPN tab, which would take take preference?

              1 Reply Last reply Reply Quote 0
              • RicoR
                Rico LAYER 8 Rebel Alliance
                last edited by

                deny all

                -Rico

                1 Reply Last reply Reply Quote 0
                • P
                  powerextreme
                  last edited by

                  @Rico

                  Let me flip it. If I had an OpenVPN tab rule for 'any <-> any' and had the following interface rules

                  allow 'any' <-> IP1
                  deny 'any' <-> IP2

                  Would any traffic make it to IP2?

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @powerextreme
                    last edited by

                    @powerextreme
                    Yes. The conditions of the any to any rule on the OpenVPN tab will match the traffic and so the rule will be applied.

                    1 Reply Last reply Reply Quote 0
                    • P
                      powerextreme
                      last edited by

                      Re: Firewall Rules for OpenVPN Tab versus Interface Rules
                      @viragomann Thanks, so what is the point of having the interface? It seems like for now matter what OpenVPN instance I have I need to put the rules that affect that instance in OpenVPN tab.

                      1 Reply Last reply Reply Quote 0
                      • RicoR
                        Rico LAYER 8 Rebel Alliance
                        last edited by

                        https://docs.netgate.com/pfsense/en/latest/book/openvpn/assigning-openvpn-interfaces.html

                        -Rico

                        1 Reply Last reply Reply Quote 0
                        • P
                          powerextreme
                          last edited by

                          @Rico Thanks for the link! I don't know why I didn't go there first.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.