Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Selective Remote Access

    Scheduled Pinned Locked Moved OpenVPN
    42 Posts 2 Posters 5.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NasKar
      last edited by

      Is it possible in OpenVPN to create a user or group that only has access to one local server and nothing else?

      Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
      2 CPUs: 1 package(s) x 2 core(s)
      AES-NI CPU Crypto: No
      2 Gigs Ram
      SSD with ver 2.4.0
      IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        You can use "Client Specific Overrides" to force specific IPs to one or more clients if your server do TLS/SSL-auth or set up an additional vpn server for that group.
        Then you can control access by firewall rules.

        1 Reply Last reply Reply Quote 0
        • N
          NasKar
          last edited by

          @viragomann:

          You can use "Client Specific Overrides" to force specific IPs to one or more clients if your server do TLS/SSL-auth or set up an additional vpn server for that group.
          Then you can control access by firewall rules.

          so I could setup a VPN with the IP of the server in the Local Network instead of the LAN network? Would I specify that as 192.168.1.160/32 ?

          Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
          2 CPUs: 1 package(s) x 2 core(s)
          AES-NI CPU Crypto: No
          2 Gigs Ram
          SSD with ver 2.4.0
          IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

          1 Reply Last reply Reply Quote 0
          • N
            NasKar
            last edited by

            @viragomann:

            You can use "Client Specific Overrides" to force specific IPs to one or more clients if your server do TLS/SSL-auth or set up an additional vpn server for that group.
            Then you can control access by firewall rules.

            I found another thread of yours and I'm close to getting this working. https://forum.pfsense.org/index.php?topic=132098.0
            I have remote VPN working and can get into my LAN.  I've setup a CSO to give my user a static IP of 172.16.2.250 and created an alias to place in a rule in the openVPN tab to block everything but my plex server but it still has access to the entire LAN. I previous tried pass only to the plex server and it still allowed access to the entire LAN.  Here are some screen shots, I hope you can help me figure out what I'm doing wrong.  Thanks all your posts on this topic.

            VPNServer.jpg
            VPNServer.jpg_thumb
            Overrides.jpg
            Overrides.jpg_thumb
            FirewallWAN.jpg
            FirewallWAN.jpg_thumb
            FirewallOpenVPN.jpg
            FirewallOpenVPN.jpg_thumb

            Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
            2 CPUs: 1 package(s) x 2 core(s)
            AES-NI CPU Crypto: No
            2 Gigs Ram
            SSD with ver 2.4.0
            IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              Does the CSO work? Does the client get the intended IP?

              Show your OpenVPN firewall rules.

              Have you assigned interfaces to your OpenVPN servers?

              1 Reply Last reply Reply Quote 0
              • N
                NasKar
                last edited by

                @viragomann:

                Does the CSO work? Does the client get the intended IP?

                Show your OpenVPN firewall rules.

                Have you assigned interfaces to your OpenVPN servers?

                I think the CSO is working the status shows an IP of 172.16.2.250.
                I have not assigned an interface to the openvpn server

                OpenVPNStatus.jpg
                OpenVPNStatus.jpg_thumb
                openvpnfirewall.jpg
                openvpnfirewall.jpg_thumb

                Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                2 CPUs: 1 package(s) x 2 core(s)
                AES-NI CPU Crypto: No
                2 Gigs Ram
                SSD with ver 2.4.0
                IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  Your block rule blocks only access to port 32400 to any hosts except Plex Server.

                  For your needs, you should split this in two rules. One which allow access from the client to Plex Server 32400 and a second next underneath to block any from this client.

                  1 Reply Last reply Reply Quote 0
                  • N
                    NasKar
                    last edited by

                    @viragomann:

                    Your block rule blocks only access to port 32400 to any hosts except Plex Server.

                    For your needs, you should split this in two rules. One which allow access from the client to Plex Server 32400 and a second next underneath to block any from this client.

                    Finally it's working.  Thanks so much for your help. Any idea on how to give these VPN users access to the internet (WAN port)?

                    Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                    2 CPUs: 1 package(s) x 2 core(s)
                    AES-NI CPU Crypto: No
                    2 Gigs Ram
                    SSD with ver 2.4.0
                    IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                    1 Reply Last reply Reply Quote 0
                    • N
                      NasKar
                      last edited by

                      Had to believe but I can't connect to the VPN anymore.  Didn't change anything.  Left the house for a few and came back and it doesn't connect anymore. The openVPN logs show TLS Error: TLS handshake failed.  Any idea how that happened and how to fix it?

                      Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                      2 CPUs: 1 package(s) x 2 core(s)
                      AES-NI CPU Crypto: No
                      2 Gigs Ram
                      SSD with ver 2.4.0
                      IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                      1 Reply Last reply Reply Quote 0
                      • V
                        viragomann
                        last edited by

                        @NasKar:

                        The openVPN logs show TLS Error: TLS handshake failed.  Any idea how that happened and how to fix it?

                        This error is mostly shown when the vpn server is unreachable.
                        Do you have a dynamic WAN address? So maybe it was changed.

                        @NasKar:

                        Finally it's working.  Thanks so much for your help. Any idea on how to give these VPN users access to the internet (WAN port)?

                        You must set an outbound NAT rule for the OpenVPN tunnel network Firwall > NAT > Outbound
                        If it's in automatic mode change it to hybrid, save and add a new rule:
                        Interface: WAN
                        Source: <openvpn tunnel="" network="">All other options should stay at their defaults.</openvpn>

                        1 Reply Last reply Reply Quote 0
                        • N
                          NasKar
                          last edited by

                          @viragomann:

                          This error is mostly shown when the vpn server is unreachable.
                          Do you have a dynamic WAN address? So maybe it was changed.

                          I have DDNS setup already and it's green showing my current WAN IP.  I reloaded the config that I saved just after It worked and it is working.  No idea what I could have done to get it to stop connecting.

                          @viragomann:

                          You must set an outbound NAT rule for the OpenVPN tunnel network Firwall > NAT > Outbound
                          If it's in automatic mode change it to hybrid, save and add a new rule:
                          Interface: WAN
                          Source: <openvpn tunnel="" network="">All other options should stay at their defaults.</openvpn>

                          My openVPN tunnel is 172.16.2.0/24 I already had that in the outbound rules but gave it another try keeping it at the top.  Web site started to load and then just would hang.  Subsequent tries nothing happens.

                          Outbound.jpg
                          Outbound.jpg_thumb

                          Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                          2 CPUs: 1 package(s) x 2 core(s)
                          AES-NI CPU Crypto: No
                          2 Gigs Ram
                          SSD with ver 2.4.0
                          IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                          1 Reply Last reply Reply Quote 0
                          • V
                            viragomann
                            last edited by

                            You have to change the destination to any in the marked rule shown in the attachment below, if you haven't already done.

                            Also maybe the backflow traffic is miss-routed, since you're missing an interface for this vpn instance.
                            I would try to assign an interface to the vpn server. After that move the appropriate firewall rules to the newly added interface.

                            openvpnfirewall.png
                            openvpnfirewall.png_thumb

                            1 Reply Last reply Reply Quote 0
                            • N
                              NasKar
                              last edited by

                              @viragomann:

                              You have to change the destination to any in the marked rule shown in the attachment below, if you haven't already done.

                              Already done

                              @viragomann:

                              Also maybe the backflow traffic is miss-routed, since you're missing an interface for this vpn instance.
                              I would try to assign an interface to the vpn server. After that move the appropriate firewall rules to the newly added interface.

                              So move all 3 rules from openvpn interface to Plex2?  Can I delete the 3 rules from the OpenVPN interface?

                              ![updated OpenVPN Rule.jpg](/public/imported_attachments/1/updated OpenVPN Rule.jpg)
                              ![updated OpenVPN Rule.jpg_thumb](/public/imported_attachments/1/updated OpenVPN Rule.jpg_thumb)
                              ![Rules Plex2.jpg](/public/imported_attachments/1/Rules Plex2.jpg)
                              ![Rules Plex2.jpg_thumb](/public/imported_attachments/1/Rules Plex2.jpg_thumb)

                              Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                              2 CPUs: 1 package(s) x 2 core(s)
                              AES-NI CPU Crypto: No
                              2 Gigs Ram
                              SSD with ver 2.4.0
                              IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                              1 Reply Last reply Reply Quote 0
                              • V
                                viragomann
                                last edited by

                                @NasKar:

                                Can I delete the 3 rules from the OpenVPN interface?

                                If you have assigned an interface to each vpn instance you will not need these rules any more.

                                1 Reply Last reply Reply Quote 0
                                • N
                                  NasKar
                                  last edited by

                                  Still can't get the internet when connected to the VPN. Also noticed some strange behavior.  When I connect the VPN that has everything blocked but Plex I was initially able to connect to other servers on the network.  If I tried again they were blocked.  I dissconnected and connected again to capture the openVPN log. Clicking on Apple.com worked but then trying to click on something else on there site didn't work anymore.
                                  Here is the openvpn log. Not sure why I got a disconnect in the log as I was still connected.

                                  Jun 25 08:34:25	openvpn	69407	MANAGEMENT: Client disconnected
                                  Jun 25 08:34:25	openvpn	69407	MANAGEMENT: CMD 'quit'
                                  Jun 25 08:34:25	openvpn	69407	MANAGEMENT: CMD 'status 2'
                                  Jun 25 08:34:25	openvpn	69407	MANAGEMENT: Client connected from /var/etc/openvpn/server4.sock
                                  Jun 25 08:34:04	openvpn	69407	Plex2XXXXX/174.205.5.233:5225 SENT CONTROL [Plex2XXXXX]: 'PUSH_REPLY,route 192.168.1.1 255.255.255.0,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1,route-gateway 172.16.2.1,topology subnet,ping 10,ping-restart 60,redirect-gateway def1,ifconfig 172.16.2.250 255.255.255.255' (status=1)
                                  Jun 25 08:34:04	openvpn	69407	Plex2XXXXX/174.205.5.233:5225 send_push_reply(): safe_cap=940
                                  Jun 25 08:34:04	openvpn	69407	Plex2XXXXX/174.205.5.233:5225 PUSH: Received control message: 'PUSH_REQUEST'
                                  Jun 25 08:34:04	openvpn	69407	Plex2XXXXX/174.205.5.233:5225 MULTI: primary virtual IP for Plex2XXXXX/174.205.5.233:5225: 172.16.2.250
                                  Jun 25 08:34:04	openvpn	69407	Plex2XXXXX/174.205.5.233:5225 MULTI: Learn: 172.16.2.250 -> Plex2XXXXX/174.205.5.233:5225
                                  Jun 25 08:34:04	openvpn	69407	Plex2XXXXX/174.205.5.233:5225 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/server4/Plex2XXXXX
                                  Jun 25 08:34:04	openvpn	69407	174.205.5.233:5225 [Plex2XXXXX] Peer Connection Initiated with [AF_INET]174.205.5.233:5225
                                  Jun 25 08:34:04	openvpn	69407	174.205.5.233:5225 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
                                  Jun 25 08:34:04	openvpn	69407	174.205.5.233:5225 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
                                  Jun 25 08:34:04	openvpn	69407	174.205.5.233:5225 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
                                  Jun 25 08:34:04	openvpn	69407	174.205.5.233:5225 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
                                  Jun 25 08:34:04	openvpn	69407	174.205.5.233:5225 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
                                  Jun 25 08:34:04	openvpn	69407	174.205.5.233:5225 VERIFY OK: depth=0, C=XX, ST=XXXXXX, L=XXXXXX, O=XXXXXX, emailAddress=xxxxx@gmail.com, CN=Plex2xxx
                                  Jun 25 08:34:04	openvpn	69407	174.205.5.233:5225 VERIFY SCRIPT OK: depth=0, C=XX, ST=XXXXXX, L=XXXXXX, O=XXXXXX, emailAddress=xxxxx@gmail.com, CN=Plex2xxx
                                  Jun 25 08:34:04	openvpn	69407	174.205.5.233:5225 VERIFY OK: depth=1, C=XX, ST=XXXXXX, L=XXXXXX, O=XXXXXX, emailAddress=xxxxx@gmail.com, CN=plex2-ca
                                  Jun 25 08:34:04	openvpn	69407	174.205.5.233:5225 VERIFY SCRIPT OK: depth=1, C=XX, ST=XXXXXX, L=XXXXXX, O=XXXXXX, emailAddress=xxxxx@gmail.com, CN=plex2-ca
                                  Jun 25 08:34:04	openvpn	69407	174.205.5.233:5225 TLS: Initial packet from [AF_INET]174.205.5.233:5225, sid=39a3b26a 88f230c3
                                  

                                  Here are the current rules and outbound just to be clear.

                                  ![Interface Plex2.jpg](/public/imported_attachments/1/Interface Plex2.jpg)
                                  ![Interface Plex2.jpg_thumb](/public/imported_attachments/1/Interface Plex2.jpg_thumb)
                                  ![Rules Plex2.jpg](/public/imported_attachments/1/Rules Plex2.jpg)
                                  ![Rules Plex2.jpg_thumb](/public/imported_attachments/1/Rules Plex2.jpg_thumb)
                                  outbound.jpg
                                  outbound.jpg_thumb

                                  Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                                  2 CPUs: 1 package(s) x 2 core(s)
                                  AES-NI CPU Crypto: No
                                  2 Gigs Ram
                                  SSD with ver 2.4.0
                                  IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                                  1 Reply Last reply Reply Quote 0
                                  • N
                                    NasKar
                                    last edited by

                                    Any other ideas on how to get internet access when connected on the VPN?  Do you need any further information?

                                    Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                                    2 CPUs: 1 package(s) x 2 core(s)
                                    AES-NI CPU Crypto: No
                                    2 Gigs Ram
                                    SSD with ver 2.4.0
                                    IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                                    1 Reply Last reply Reply Quote 0
                                    • V
                                      viragomann
                                      last edited by

                                      You've set up an "IPv4 Local network" and then you've checked "Redirect gateway". Maybe this interferes.

                                      To remove the local network uncheck "Redirect gateway" to get the option displayed, then remove the entry and re-check redirect gateway again.

                                      1 Reply Last reply Reply Quote 0
                                      • N
                                        NasKar
                                        last edited by

                                        @viragomann:

                                        You've set up an "IPv4 Local network" and then you've checked "Redirect gateway". Maybe this interferes.

                                        To remove the local network uncheck "Redirect gateway" to get the option displayed, then remove the entry and re-check redirect gateway again.

                                        Still can't access the internet when the VPN is turned on after following your instructions above.  Is there anything else I could show you to help diagnose the problem?

                                        Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                                        2 CPUs: 1 package(s) x 2 core(s)
                                        AES-NI CPU Crypto: No
                                        2 Gigs Ram
                                        SSD with ver 2.4.0
                                        IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                                        1 Reply Last reply Reply Quote 0
                                        • V
                                          viragomann
                                          last edited by

                                          Plex2 cannot access the internet since you've blocked it in the rules.

                                          To get internet access change your block rule so that only your internal networks are blocked.
                                          Best practice is to add an alias for all RFC 1918 networks (assume you use solely private networks) and use this in the rule.
                                          Firewall > Aliases > IP
                                          Name: RFC1918
                                          Type: networks
                                          Add:
                                          192.168.0.0/16
                                          172.16.0.0/12
                                          10.0.0.0/8

                                          Then edit your block rule on PLEX2 and enter the RFC1918 alias at destination. Also you should change the protocol to any. So only any access to private IPs will be blocked.

                                          1 Reply Last reply Reply Quote 0
                                          • N
                                            NasKar
                                            last edited by

                                            @viragomann:

                                            Plex2 cannot access the internet since you've blocked it in the rules.

                                            I disable the block rule in my plex2 interface and reset the states. I still can't get to the internet with the VPN on.  If the block rule was the issue shouldn't it work with the rule disabled?

                                            Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                                            2 CPUs: 1 package(s) x 2 core(s)
                                            AES-NI CPU Crypto: No
                                            2 Gigs Ram
                                            SSD with ver 2.4.0
                                            IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.