Can I do this with OpenVPN?

sai

I need to implement something like this.

can I do this with OpenVPN? I do not want the clients to be able to access each others machines. All clients should be able to access the service provider server

I also know that some one is going to want to add a server, sometime.

say, B, wants to add a new server and we want to give it ip 10.1.1.7

is this possible with OPenVPN or do I have to go with IPSEC?

GruensFroeschli

Do the clients behind the Firewalls A,B,C,D have to be in the same subnet?

While you can prevent multiple clients from accessing each other by simply not adding routes you're not actually able to firewall the OpenVPN interfaces.

But since these missing routes would be on the remote pfSense itself and i dont suppose your users have access to it it might be enough.

Of course you can also create firewall rules on the remote-end pfSenses disallowing as destination the other clients.

sai

@GruensFroeschli:

Do the clients behind the Firewalls A,B,C,D have to be in the same subnet?

yes the clients behind A,B,C,D have to be in the same subnet. is that a problem for openvpn?

@GruensFroeschli:

While you can prevent multiple clients from accessing each other by simply not adding routes you're not actually able to firewall the OpenVPN interfaces.

But since these missing routes would be on the remote pfSense itself and i dont suppose your users have access to it it might be enough.

Ok, thanks.

@GruensFroeschli:

Of course you can also create firewall rules on the remote-end pfSenses disallowing as destination the other clients.

would the rules be on the lan interface?

something like
allow source 10.1.1.1/8  dest 192.168.50.1
block source 10.1.1.1/8 dest 10.1.1.1/8 ?

GruensFroeschli

@sai:

@GruensFroeschli:

Do the clients behind the Firewalls A,B,C,D have to be in the same subnet?

yes the clients behind A,B,C,D have to be in the same subnet. is that a problem for openvpn?

Yes this is a problem. But not only for OpenVPN.
You cannot route if there is the same subnet on both sides.

There has been some progress on bridging OpenVPN
–> http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN#Advanced_Hackery
but it seems it's unstable under certain circumstances for unknown reasons.

@sai:

@GruensFroeschli:

Of course you can also create firewall rules on the remote-end pfSenses disallowing as destination the other clients.

would the rules be on the lan interface?

something like
allow source 10.1.1.1/8  dest 192.168.50.1
block source 10.1.1.1/8 dest 10.1.1.1/8 ?

Yes about like this.

sai

Thanks GruensFroeschli ! I will see what I can do.