4. OpenVPN limitation

OpenVPN limitation

  • R

    Ladies and Gentlemen,

    At URL http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43 is stated:

    "Filtering of OpenVPN traffic is not yet possible. Support for this will be in the next release. "

    Does it means that, nowadays (version 1.2 stable and 2.0 as a "beta") VPN clients (site-to-site and/or client-to-site) cannot have traffic controlled by firewall ?

    I mean, will they have total and irrestrict access to all networks and services ?

    Is it possible to create IP ranges and make rules telling that, for instance, RANGE-A can ONLY access DMZ-SERVER01 at TCP 80 and 443 port ?

    Can it be configured to allow that VPN-RANGE-A access VPN RANGE-B LPD/LPR ports ?

    Regards from Rio de Janeiro, Brazil.

    0
  • C

    You'd have to create the rules by hand, which isn't supported and may not survive any changes you make through the GUI.

    0
  • A

    I've installed an OpenVPN Server (not pfSense, and standalone server), inside my LAN, to have the LAN rules applied to the VPN connections. I will have it until new OpenVPN pfSense implementation let me do the same.

    0
  • T

    This question wasn't really answered, and I'd like to hear an answer as well. What EXACTLY does "Filtering of OpenVPN traffic is not yet possible" mean?

    I would assume it means that you cannot filter within the OpenVPN connection, so you cannot restrict ports that the OpenVPN clients can access. But surely you can still filter what the OpenVPN clients can connect to on your LAN and other networks. These rules are required to get OpenVPN working at all, so there must be some level of control.

    Can anyone please elaborate on this? Thanks.

    0

  • You can control on what port the client connects to the server.
    You cannot control to what clients connect over an established VPN-connection.

    OpenVPN creates a virtual interface over which the VPN traffic flows.
    It is not possible to create firewall rules for this virtual interface.

    0
  • T

    Ahha, I got you. Thanks a lot!

    0
  • A

    @tacfit:

    This question wasn't really answered, and I'd like to hear an answer as well. What EXACTLY does "Filtering of OpenVPN traffic is not yet possible" mean?

    I would assume it means that you cannot filter within the OpenVPN connection, so you cannot restrict ports that the OpenVPN clients can access. But surely you can still filter what the OpenVPN clients can connect to on your LAN and other networks. These rules are required to get OpenVPN working at all, so there must be some level of control.

    Can anyone please elaborate on this? Thanks.

    configure squid and dansguardian on a separate box and route all the web traffic to that box. This way you will get your port and web content filtering.

    0

  • If you do that you could as well do what albertmm did and have a separate openVPN server ;)

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy