[SOLVED] OpenVPN : can't get internet to the clients (firewall rules issue)



  • Hello everyone!
    First of all, thanks to anyone reading this post. I'm pretty sure my problem is about a firewall rule, but I may be wrong.

    So, I have a OpenVPN server on my main pfSense. I whish that my connected clients get internet access, but not access to the whole local network for security reasons. So I configured NAT and OpenVPN firewall rules as the pictures included in this post. (I tried destination WAN NET and WAN ADDRESS with no luck).

    What I've discovered is that if I put * as destination for the firewall rule, I now get internet access, but also full access to the local network which is not wanted.

    Example of what I see from the firewall log:
    Apr 8 12:51:46 ovpns1 Default deny rule IPv4 (1000000103)   192.168.99.2:57908   54.190.179.118:443 TCP:RA

    OpenVPN subnet : 192.168.99.0/24
    Redirect gateway is enabled for the VPN Server.

    Thanks!





  • LAYER 8 Netgate

    Destination WAN net is not the internet. Destination any is the internet.

    If your WAN interface is 198.51.100.18/29, then WAN net = 198.51.100.16/29 - those are the only destinations that will be passed by that rule. I'm sure you can see how that is NOT the whole internet.



  • Oh. So then, if I make it destination "any", I have to make rules to block each individual VLANs right ?

    Thanks!


  • LAYER 8 Netgate

    Pass the specific local assets you want them to access
    Block the less-specific local assets you do not want them to access (This can often be an RFC1918 alias or similar - Do not neglect This firewall as well)
    Pass everything else (the internet)



  • Thank you very much for the solution!

    I made an alias for localdomain so it makes things easier and cleaner in the rules. Thanks again!


Log in to reply