Specific devices with OVPN client as gateway



  • Still planning on how to do things (right).
    Attached image show`s the diagram.

    pfSense will become OVPN server.
    NAS will be OVPN client and connected 24/7.
    I want it to be the exit point for XBOX and GB 24/7.
    On the NAS I can enable ipforward and NAT.

    1. Point gateway on XBOX and GB to OVPN or let pfSense handle that?

    PC must not be connected 24/7 but only when the kid play on Steam/MC and YT.
    2. I was thinking to add/delete the route in a batch?

    All other devices, not shown here, need to go straight out to the LOCAL WAN.

    Thoughts?




  • when you assign an interface to your openvpn connection, it should automagically generate a gateway.

    that gateway can be used in firewall rules ( policy routing)



  • That sounds easy enough (I hope and see :))
    Then use a batch, OVPN-on and OVPN-off, to set the route.

    Thanks to confirm.



  • Hmm… forgot about something.

    One Admin should be able to talk to NAS when on the road and VPN`ed in.

    1. Does allowing "Inter-client communication" in "Servers-->Edit server" set the client-to-client option in server config?

    2. If so, then this cannot be firewalled?

    I know OpenVPN has a built in internal packet filter that would allow firewalling client-to-client connections but it is not available on pfSense I assume. It would require a internal packet filter module built for pfSense.

    3. Does this mean that I would have to route and then firewall it?



  • Ok, Ive setup a server, assigned an interface (ovpns1) and now in Firewall->Rules I have two TABs named "OPENVPN" and "OpenVPN".

    Why?
    Which one should be used for rules?

    Thanks.


  • Netgate

    OpenVPN is an interface group consisting of all OpenVPN clients and servers. Rules there are processed first.

    OPENVPN must be an assigned interface that you named as such. Rules there govern traffic coming from that specific instance of OpenVPN.

    The assigned interface also gives you a gateway to policy route, you can do NAT on it, etc.

    Unless there is a good reason to do so, I generally delete all the rules on the OpenVPN group and put the rules on the assigned interface. That prevents something that is correctly configured from not working because the traffic matches an OpenVPN group rule (so the interface rule never gets processed.)



  • Ah, I see now, it takes the description field and converts it into capitals, that rings a bell, it did the same with the VLAN I have.
    I`ve renamed the description OpenVPN to OpenVPN_UDP.
    On the TAB in Firewall->Rules it now says OPENVPN_UDP.

    Thanks for clarifying, I do plan on having a second server on TCP with different port for "worst case" so group would not be good idea.
    After setup is done I no need to change anything anyway, set and forget :)

    Thanks.



  • @Pippin:

    I know OpenVPN has a built in internal packet filter that would allow firewalling client-to-client connections

    Here I'm confusing tun and tap. In case of tap above is true.
    With a pf_plugin_module for OpenVPN one could setup a scheme for who can talk to who.

    1. Does allowing "Inter-client communication" in "Servers–>Edit server" set the client-to-client option in server config?
    2. If so, then this cannot be firewalled?

    Yes, I just checked this, it does set client-to-client in server config and to my knowledge it cannot be firewalled.
    Is that true also for pfSense?
    If so, then maybe this should be stated under the tick box/help.

    It would mean, if one wants to firewall client-to-client communication, do not tick this box.