OpenVPN Firewall Rules Advice



  • I have setup an OpenVPN server on pfSense, the IPv4 Tunnel Network I have told OpenVPN to use is 192.168.3.0/24

    This works and I can connect to the VPN from a remote location, however I can access any host on any of the interfaces below:

    LAN = 192.168.1.0/24
    DMZ = 192.168.2.0/24
    VPN = 192.168.3.0/24

    This might be where I have gone totally wrong from this point, so any advice is appreciated.

    I assigned ovpns1 (the Virtual OpenVPN interface) to a new OPT interface called VPN (192.168.3.0).

    Now i can assign firewall rules on this VPN interface, however these are ignored by VPN clients.

    I've noticed I can create rules on both VPN and OpenVPN:

    If i create a firewall rules on the virtual "OpenVPN" interface, for example block VPN net from accessing DMZ net, the rule will apply to VPN clients.

    It seems strange I have to assign the ovpns1 to an OPT interface, to then create firewall rules on the ovpns1 using the VPN OPT interface to base the rule on (See the test rule in the screenshot above)

    I'm wondering is this how it's supposed to work, or have i gone wrong somewhere?

    Thanks for any advice.


  • LAYER 8 Netgate

    The OpenVPN tab is, under the hood, just an interface group containing all OpenVPN instances - all servers and all clients. You can use it to generally control traffic into your firewall from OpenVPN. You cannot, however, get special things like reply-to, which automatically sends reply traffic back out the interface into which it arrived because it is not an interface, but a group.

    If you assign an interface to an OpenVPN server or client, the rules there apply ONLY to that server or client and you get magic things like reply-to. You can also use it to perform outbound NAT, policy route to it (because the assigned interface has a matching gateway), etc.

    If you want to take advantage of this, the rules on the OpenVPN tab must NOT match the traffic you are interested in because they are processed first and first match controls.

    I generally delete all rules on the OpenVPN tab when I start using assigned interfaces.

    If you want more information I suggest a gold membership and the included OpenVPN hangouts and pfSense book.


Log in to reply