OPENVPN client-to-client firewalling not working
-
Hi
I would like to create a setup where I have 10 openvpn clients connected to PFS, without site to site traffic, and an 11th one able to reach the 10 clients.
So I have created a VPN server, where all the clients can exchange traffic together, thinking that I will be able filter traffic using the firewall.
But even if I do a rule to block all traffic on the openvpn section (all/all/reject), the traffic between my clients is still passing !
As I want one client to be able to reach all the other clients I select : 'Allow communication between clients connected to this server'
Does it means that the FW is not able to filter traffic between clients ?
Thanks for your help,
-
that's right, the firewall can't do anything if the clients are on the same interface
'Allow communication between clients connected to this server' it's your only option
you can create different VPN server for each client
-
the firewall can't do anything if the clients are on the same interface
Are you sure about that?
Works fine in Linux.If Inter client communication (--client-to-client) is selected, the packets between clients are never exposed to pfSense.
They stay "inside" the OpenVPN process, hence no firewalling can be done.
Follow the flow, see purple line: https://community.openvpn.net/openvpn/wiki/HowPacketsFlowWith Inter client communication not selected, following the flow you'll see that packets are going from OpenVPN to the tun interface and back to OpenVPN.
So that is where (on tun interface) you want to place your rules.Do not select Inter client communication.
Assign an interface to the server instance (I always do).
On the new interface traffic can now be regulated.
Should work just fine. -
really sorry !! , that's right, didn't think about it
if you assign an interface the traffic can be regulated. -
We can not think of all, all the time ;)
-
Same works with the OpenVPN group Interface.
-Rico
-
So, following our discussion, i have made several tests, and with Inter Client Communication, I am able to filter now with 'Allow communication between clients...'
So my instance :
My VPN is VPN AUDIOPRO, but I had to create OPT1 instance to make it works ... and I don't really understand why ... and what is OPT1
Many thanks for your help !
-
from what I can understand the interface is assigned but not enabled
you should have LAN and OPT1 interface available under the firewall rules tab
Check the flag "Enable" in the interface settingsAfter assigning the OpenVPN interface, edit the OpenVPN server or client and click Save once there as well to reinitialize the VPN. This is necessary for the VPN to recover from the assignment process. <- the openvpn server will stop working until you restart it after enabling the interface, pay attention if you are doing it from a remote location
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/assign.html#filtering-with-openvpn