How to forbid Internet access to VPN users
I've just finished configuring OpenVPN, using /30's for every client. I've also made some custom client overrides to push specific routes. However, I've noticed that when users are connected, they gain access to the Internet via the VPN, as if they were surfing from their office. Instead, I would just like to give them access to the network infrastructure, leaving them free to access the Internet with their home connection. Can I enforce this on pfSense side?
Sure, just uncheck redirect traffic through gateway in openvpn server settings…
Unchecking redirect gateway will prevent them from getting a default gateway from you but they can still route whatever traffic they want to you.
If you want to be certain they can only access specific things, control that with firewall rules on the OpenVPN tab or firewall rules on the appropriate OpenVPN assigned interface.
I already thought I could edit the firewall rules, indeed I've done the following: first, a rule to allow any -> 192.168.0.0/16. second, a rule to block any -> any. Like this, I can only access private resources but not the company's internet. But there's a problem, which is that, if I don't check "use this connection only for resources in its network" on the openvpn client (I'm using Ubuntu for in this example", the connection to internet at my home is no longer working. I wonder if there's a way to enforce this, otherwise I must explain to every von user that they need to check this box in order not to receive a new gateway for their internet connection.