Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to forbid Internet access to VPN users

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 997 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      Kei
      last edited by

      Hello,
      I've just finished configuring OpenVPN, using /30's for every client. I've also made some custom client overrides to push specific routes. However, I've noticed that when users are connected, they gain access to the Internet via the VPN, as if they were surfing from their office. Instead, I would just like to give them access to the network infrastructure, leaving them free to access the Internet with their home connection. Can I enforce this on pfSense side?

      Thank you!

      1 Reply Last reply Reply Quote 0
      • M Offline
        maverick_slo
        last edited by

        Sure, just uncheck redirect traffic through gateway in openvpn server settings…

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          Unchecking redirect gateway will prevent them from getting a default gateway from you but they can still route whatever traffic they want to you.

          If you want to be certain they can only access specific things, control that with firewall rules on the OpenVPN tab or firewall rules on the appropriate OpenVPN assigned interface.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • K Offline
            Kei
            last edited by

            I already thought I could edit the firewall rules, indeed I've done the following:  first, a rule to allow any -> 192.168.0.0/16.  second, a rule to block any -> any. Like this, I can only access private resources but not the company's internet. But there's a problem, which is that, if I don't check "use this connection only for resources in its network" on the openvpn client (I'm using Ubuntu for in this example", the connection to internet at my home is no longer working. I wonder if there's a way to enforce this, otherwise I must explain to every von user that they need to check this box in order not to receive a new gateway for their internet connection.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.