Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can I do this with OpenVPN?

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sai
      last edited by

      I need to implement something like this.

      can I do this with OpenVPN? I do not want the clients to be able to access each others machines. All clients should be able to access the service provider server

      I also know that some one is going to want to add a server, sometime.

      say, B, wants to add a new server and we want to give it ip 10.1.1.7

      is this possible with OPenVPN or do I have to go with IPSEC?

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Do the clients behind the Firewalls A,B,C,D have to be in the same subnet?

        While you can prevent multiple clients from accessing each other by simply not adding routes you're not actually able to firewall the OpenVPN interfaces.

        But since these missing routes would be on the remote pfSense itself and i dont suppose your users have access to it it might be enough.

        Of course you can also create firewall rules on the remote-end pfSenses disallowing as destination the other clients.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • S
          sai
          last edited by

          @GruensFroeschli:

          Do the clients behind the Firewalls A,B,C,D have to be in the same subnet?

          yes the clients behind A,B,C,D have to be in the same subnet. is that a problem for openvpn?

          @GruensFroeschli:

          While you can prevent multiple clients from accessing each other by simply not adding routes you're not actually able to firewall the OpenVPN interfaces.

          But since these missing routes would be on the remote pfSense itself and i dont suppose your users have access to it it might be enough.

          Ok, thanks.

          @GruensFroeschli:

          Of course you can also create firewall rules on the remote-end pfSenses disallowing as destination the other clients.

          would the rules be on the lan interface?

          something like
          allow source 10.1.1.1/8  dest 192.168.50.1
          block source 10.1.1.1/8 dest 10.1.1.1/8 ?

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            @sai:

            @GruensFroeschli:

            Do the clients behind the Firewalls A,B,C,D have to be in the same subnet?

            yes the clients behind A,B,C,D have to be in the same subnet. is that a problem for openvpn?

            Yes this is a problem. But not only for OpenVPN.
            You cannot route if there is the same subnet on both sides.

            There has been some progress on bridging OpenVPN
            –> http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN#Advanced_Hackery
            but it seems it's unstable under certain circumstances for unknown reasons.

            @sai:

            @GruensFroeschli:

            Of course you can also create firewall rules on the remote-end pfSenses disallowing as destination the other clients.

            would the rules be on the lan interface?

            something like
            allow source 10.1.1.1/8  dest 192.168.50.1
            block source 10.1.1.1/8 dest 10.1.1.1/8 ?

            Yes about like this.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • S
              sai
              last edited by

              Thanks GruensFroeschli ! I will see what I can do.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.