Isolating OpenVPN Network



  • Hi guys,

    I've got 3 OpenVPN servers. I would like to isolate one of the servers from my LAN and WebConfigurator. This server will be for foreign clients.

    Is there any easy way I can isolate only one OpenVPN server from my LAN and WebConfigurator? However I would like all foreign clients to be able to access internet trough the VPN tunnel.

    I'm looking forward to hearing from you.

    Regards,
    Nick


  • Netgate

    Firewall rules on the OpenVPN Tab and/or the OpenVPN assigned interface tab.

    Block local assets, pass any (the internet).



  • Hi Derelict,

    Thanks for your quick reply! Other 2 VPN Servers are using the same interface. Wouldn't that be a problem?

    Regards,
    Nick


  • Netgate

    Either assign an interface to that OpenVPN instance or block sourced from that tunnel network.. or both.



  • Thanks Derelict.

    Took me ages to de-cypher your advise, but that's because it's been long time since I haven't created/edited any firewall rules.

    I'm wondering, if I block all sourced traffic, I'll loose internet connectivity as well, because all packets to my WAN are sourced from my OpenVPN, am I right?

    What I did is introducing the following 4 rules:

    1. Protocol IPV4 TCP Source LAN net Port * Destination 192.168.10.0/24 [That's the VPN network I'm trying to isolate] Port * Gateway * - with this rule I boock all packets from LAN to my isolated OpenVPN network.
    2. Protocol IPV4 TCP Source 192.168.10.0/24 Port * Destination LAN net Port * Gateway * - with this rule I block all packets from the isolated OpenVPN to LAN
    3. Protocol IPV4 * Source 192.168.10.0/24 Port * Destination OPENVPN net Port * Gateway * - with this rule I block all packets from isolated OpenVPN to other VPN networks
    4. Protocol IPV4 * Source * Port * Destination * Port * Gateway * - allow all traffic

    Do those rules make sense? Can you please advise if I'm missing something.

    Regards,
    Nick


  • Netgate

    @Nikolay_Zhelev:

    Thanks Derelict.

    Took me ages to de-cypher your advise, but that's because it's been long time since I haven't created/edited any firewall rules.

    I'm wondering, if I block all sourced traffic, I'll loose internet connectivity as well, because all packets to my WAN are sourced from my OpenVPN, am I right?

    What I did is introducing the following 4 rules:

    1. Protocol IPV4 TCP Source LAN net Port * Destination 192.168.10.0/24 [That's the VPN network I'm trying to isolate] Port * Gateway * - with this rule I boock all packets from LAN to my isolated OpenVPN network.

    All TCP packets, anyway, assuming it is on the LAN interface.

    2. Protocol IPV4 TCP Source 192.168.10.0/24 Port * Destination LAN net Port * Gateway * - with this rule I block all packets from the isolated OpenVPN to LAN
    3. Protocol IPV4 * Source 192.168.10.0/24 Port * Destination OPENVPN net Port * Gateway * - with this rule I block all packets from isolated OpenVPN to other VPN networks
    4. Protocol IPV4 * Source * Port * Destination * Port * Gateway * - allow all traffic

    Impossible to say since you didn't say what interfaces those rules are on.



  • Sorry, I forgot to specify. I have 3 interfaces: WAN, LAN and OpenVPN. All the rules above apply to OpenVPN interface only.


  • Netgate