Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN limitation

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 6 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rrbranco
      last edited by

      Ladies and Gentlemen,

      At URL http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43 is stated:

      "Filtering of OpenVPN traffic is not yet possible. Support for this will be in the next release. "

      Does it means that, nowadays (version 1.2 stable and 2.0 as a "beta") VPN clients (site-to-site and/or client-to-site) cannot have traffic controlled by firewall ?

      I mean, will they have total and irrestrict access to all networks and services ?

      Is it possible to create IP ranges and make rules telling that, for instance, RANGE-A can ONLY access DMZ-SERVER01 at TCP 80 and 443 port ?

      Can it be configured to allow that VPN-RANGE-A access VPN RANGE-B LPD/LPR ports ?

      Regards from Rio de Janeiro, Brazil.

      1 Reply Last reply Reply Quote 0
      • Cry HavokC
        Cry Havok
        last edited by

        You'd have to create the rules by hand, which isn't supported and may not survive any changes you make through the GUI.

        1 Reply Last reply Reply Quote 0
        • A
          albertmm
          last edited by

          I've installed an OpenVPN Server (not pfSense, and standalone server), inside my LAN, to have the LAN rules applied to the VPN connections. I will have it until new OpenVPN pfSense implementation let me do the same.

          1 Reply Last reply Reply Quote 0
          • T
            tacfit
            last edited by

            This question wasn't really answered, and I'd like to hear an answer as well. What EXACTLY does "Filtering of OpenVPN traffic is not yet possible" mean?

            I would assume it means that you cannot filter within the OpenVPN connection, so you cannot restrict ports that the OpenVPN clients can access. But surely you can still filter what the OpenVPN clients can connect to on your LAN and other networks. These rules are required to get OpenVPN working at all, so there must be some level of control.

            Can anyone please elaborate on this? Thanks.

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG
              GruensFroeschli
              last edited by

              You can control on what port the client connects to the server.
              You cannot control to what clients connect over an established VPN-connection.

              OpenVPN creates a virtual interface over which the VPN traffic flows.
              It is not possible to create firewall rules for this virtual interface.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • T
                tacfit
                last edited by

                Ahha, I got you. Thanks a lot!

                1 Reply Last reply Reply Quote 0
                • A
                  acdc
                  last edited by

                  @tacfit:

                  This question wasn't really answered, and I'd like to hear an answer as well. What EXACTLY does "Filtering of OpenVPN traffic is not yet possible" mean?

                  I would assume it means that you cannot filter within the OpenVPN connection, so you cannot restrict ports that the OpenVPN clients can access. But surely you can still filter what the OpenVPN clients can connect to on your LAN and other networks. These rules are required to get OpenVPN working at all, so there must be some level of control.

                  Can anyone please elaborate on this? Thanks.

                  configure squid and dansguardian on a separate box and route all the web traffic to that box. This way you will get your port and web content filtering.

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschliG
                    GruensFroeschli
                    last edited by

                    If you do that you could as well do what albertmm did and have a separate openVPN server ;)

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.