Selective Remote Access
-
Is it possible in OpenVPN to create a user or group that only has access to one local server and nothing else?
-
You can use "Client Specific Overrides" to force specific IPs to one or more clients if your server do TLS/SSL-auth or set up an additional vpn server for that group.
Then you can control access by firewall rules. -
You can use "Client Specific Overrides" to force specific IPs to one or more clients if your server do TLS/SSL-auth or set up an additional vpn server for that group.
Then you can control access by firewall rules.so I could setup a VPN with the IP of the server in the Local Network instead of the LAN network? Would I specify that as 192.168.1.160/32 ?
-
You can use "Client Specific Overrides" to force specific IPs to one or more clients if your server do TLS/SSL-auth or set up an additional vpn server for that group.
Then you can control access by firewall rules.I found another thread of yours and I'm close to getting this working. https://forum.pfsense.org/index.php?topic=132098.0
I have remote VPN working and can get into my LAN. I've setup a CSO to give my user a static IP of 172.16.2.250 and created an alias to place in a rule in the openVPN tab to block everything but my plex server but it still has access to the entire LAN. I previous tried pass only to the plex server and it still allowed access to the entire LAN. Here are some screen shots, I hope you can help me figure out what I'm doing wrong. Thanks all your posts on this topic.
-
Does the CSO work? Does the client get the intended IP?
Show your OpenVPN firewall rules.
Have you assigned interfaces to your OpenVPN servers?
-
Does the CSO work? Does the client get the intended IP?
Show your OpenVPN firewall rules.
Have you assigned interfaces to your OpenVPN servers?
I think the CSO is working the status shows an IP of 172.16.2.250.
I have not assigned an interface to the openvpn server
-
Your block rule blocks only access to port 32400 to any hosts except Plex Server.
For your needs, you should split this in two rules. One which allow access from the client to Plex Server 32400 and a second next underneath to block any from this client.
-
Your block rule blocks only access to port 32400 to any hosts except Plex Server.
For your needs, you should split this in two rules. One which allow access from the client to Plex Server 32400 and a second next underneath to block any from this client.
Finally it's working. Thanks so much for your help. Any idea on how to give these VPN users access to the internet (WAN port)?
-
Had to believe but I can't connect to the VPN anymore. Didn't change anything. Left the house for a few and came back and it doesn't connect anymore. The openVPN logs show TLS Error: TLS handshake failed. Any idea how that happened and how to fix it?
-
The openVPN logs show TLS Error: TLS handshake failed. Any idea how that happened and how to fix it?
This error is mostly shown when the vpn server is unreachable.
Do you have a dynamic WAN address? So maybe it was changed.Finally it's working. Thanks so much for your help. Any idea on how to give these VPN users access to the internet (WAN port)?
You must set an outbound NAT rule for the OpenVPN tunnel network Firwall > NAT > Outbound
If it's in automatic mode change it to hybrid, save and add a new rule:
Interface: WAN
Source: <openvpn tunnel="" network="">All other options should stay at their defaults.</openvpn> -
This error is mostly shown when the vpn server is unreachable.
Do you have a dynamic WAN address? So maybe it was changed.I have DDNS setup already and it's green showing my current WAN IP. I reloaded the config that I saved just after It worked and it is working. No idea what I could have done to get it to stop connecting.
You must set an outbound NAT rule for the OpenVPN tunnel network Firwall > NAT > Outbound
If it's in automatic mode change it to hybrid, save and add a new rule:
Interface: WAN
Source: <openvpn tunnel="" network="">All other options should stay at their defaults.</openvpn>My openVPN tunnel is 172.16.2.0/24 I already had that in the outbound rules but gave it another try keeping it at the top. Web site started to load and then just would hang. Subsequent tries nothing happens.
-
You have to change the destination to any in the marked rule shown in the attachment below, if you haven't already done.
Also maybe the backflow traffic is miss-routed, since you're missing an interface for this vpn instance.
I would try to assign an interface to the vpn server. After that move the appropriate firewall rules to the newly added interface.
-
You have to change the destination to any in the marked rule shown in the attachment below, if you haven't already done.
Already done
Also maybe the backflow traffic is miss-routed, since you're missing an interface for this vpn instance.
I would try to assign an interface to the vpn server. After that move the appropriate firewall rules to the newly added interface.So move all 3 rules from openvpn interface to Plex2? Can I delete the 3 rules from the OpenVPN interface?
 -
Can I delete the 3 rules from the OpenVPN interface?
If you have assigned an interface to each vpn instance you will not need these rules any more.
-
Still can't get the internet when connected to the VPN. Also noticed some strange behavior. When I connect the VPN that has everything blocked but Plex I was initially able to connect to other servers on the network. If I tried again they were blocked. I dissconnected and connected again to capture the openVPN log. Clicking on Apple.com worked but then trying to click on something else on there site didn't work anymore.
Here is the openvpn log. Not sure why I got a disconnect in the log as I was still connected.Jun 25 08:34:25 openvpn 69407 MANAGEMENT: Client disconnected Jun 25 08:34:25 openvpn 69407 MANAGEMENT: CMD 'quit' Jun 25 08:34:25 openvpn 69407 MANAGEMENT: CMD 'status 2' Jun 25 08:34:25 openvpn 69407 MANAGEMENT: Client connected from /var/etc/openvpn/server4.sock Jun 25 08:34:04 openvpn 69407 Plex2XXXXX/174.205.5.233:5225 SENT CONTROL [Plex2XXXXX]: 'PUSH_REPLY,route 192.168.1.1 255.255.255.0,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1,route-gateway 172.16.2.1,topology subnet,ping 10,ping-restart 60,redirect-gateway def1,ifconfig 172.16.2.250 255.255.255.255' (status=1) Jun 25 08:34:04 openvpn 69407 Plex2XXXXX/174.205.5.233:5225 send_push_reply(): safe_cap=940 Jun 25 08:34:04 openvpn 69407 Plex2XXXXX/174.205.5.233:5225 PUSH: Received control message: 'PUSH_REQUEST' Jun 25 08:34:04 openvpn 69407 Plex2XXXXX/174.205.5.233:5225 MULTI: primary virtual IP for Plex2XXXXX/174.205.5.233:5225: 172.16.2.250 Jun 25 08:34:04 openvpn 69407 Plex2XXXXX/174.205.5.233:5225 MULTI: Learn: 172.16.2.250 -> Plex2XXXXX/174.205.5.233:5225 Jun 25 08:34:04 openvpn 69407 Plex2XXXXX/174.205.5.233:5225 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/server4/Plex2XXXXX Jun 25 08:34:04 openvpn 69407 174.205.5.233:5225 [Plex2XXXXX] Peer Connection Initiated with [AF_INET]174.205.5.233:5225 Jun 25 08:34:04 openvpn 69407 174.205.5.233:5225 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Jun 25 08:34:04 openvpn 69407 174.205.5.233:5225 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Jun 25 08:34:04 openvpn 69407 174.205.5.233:5225 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Jun 25 08:34:04 openvpn 69407 174.205.5.233:5225 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Jun 25 08:34:04 openvpn 69407 174.205.5.233:5225 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Jun 25 08:34:04 openvpn 69407 174.205.5.233:5225 VERIFY OK: depth=0, C=XX, ST=XXXXXX, L=XXXXXX, O=XXXXXX, emailAddress=xxxxx@gmail.com, CN=Plex2xxx Jun 25 08:34:04 openvpn 69407 174.205.5.233:5225 VERIFY SCRIPT OK: depth=0, C=XX, ST=XXXXXX, L=XXXXXX, O=XXXXXX, emailAddress=xxxxx@gmail.com, CN=Plex2xxx Jun 25 08:34:04 openvpn 69407 174.205.5.233:5225 VERIFY OK: depth=1, C=XX, ST=XXXXXX, L=XXXXXX, O=XXXXXX, emailAddress=xxxxx@gmail.com, CN=plex2-ca Jun 25 08:34:04 openvpn 69407 174.205.5.233:5225 VERIFY SCRIPT OK: depth=1, C=XX, ST=XXXXXX, L=XXXXXX, O=XXXXXX, emailAddress=xxxxx@gmail.com, CN=plex2-ca Jun 25 08:34:04 openvpn 69407 174.205.5.233:5225 TLS: Initial packet from [AF_INET]174.205.5.233:5225, sid=39a3b26a 88f230c3Here are the current rules and outbound just to be clear.
-
Any other ideas on how to get internet access when connected on the VPN? Do you need any further information?
-
You've set up an "IPv4 Local network" and then you've checked "Redirect gateway". Maybe this interferes.
To remove the local network uncheck "Redirect gateway" to get the option displayed, then remove the entry and re-check redirect gateway again.
-
You've set up an "IPv4 Local network" and then you've checked "Redirect gateway". Maybe this interferes.
To remove the local network uncheck "Redirect gateway" to get the option displayed, then remove the entry and re-check redirect gateway again.
Still can't access the internet when the VPN is turned on after following your instructions above. Is there anything else I could show you to help diagnose the problem?
-
Plex2 cannot access the internet since you've blocked it in the rules.
To get internet access change your block rule so that only your internal networks are blocked.
Best practice is to add an alias for all RFC 1918 networks (assume you use solely private networks) and use this in the rule.
Firewall > Aliases > IP
Name: RFC1918
Type: networks
Add:
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8Then edit your block rule on PLEX2 and enter the RFC1918 alias at destination. Also you should change the protocol to any. So only any access to private IPs will be blocked.
-
Plex2 cannot access the internet since you've blocked it in the rules.
I disable the block rule in my plex2 interface and reset the states. I still can't get to the internet with the VPN on. If the block rule was the issue shouldn't it work with the rule disabled?