OpenVPN limitation



  • Ladies and Gentlemen,

    At URL http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43 is stated:

    "Filtering of OpenVPN traffic is not yet possible. Support for this will be in the next release. "

    Does it means that, nowadays (version 1.2 stable and 2.0 as a "beta") VPN clients (site-to-site and/or client-to-site) cannot have traffic controlled by firewall ?

    I mean, will they have total and irrestrict access to all networks and services ?

    Is it possible to create IP ranges and make rules telling that, for instance, RANGE-A can ONLY access DMZ-SERVER01 at TCP 80 and 443 port ?

    Can it be configured to allow that VPN-RANGE-A access VPN RANGE-B LPD/LPR ports ?

    Regards from Rio de Janeiro, Brazil.



  • You'd have to create the rules by hand, which isn't supported and may not survive any changes you make through the GUI.



  • I've installed an OpenVPN Server (not pfSense, and standalone server), inside my LAN, to have the LAN rules applied to the VPN connections. I will have it until new OpenVPN pfSense implementation let me do the same.



  • This question wasn't really answered, and I'd like to hear an answer as well. What EXACTLY does "Filtering of OpenVPN traffic is not yet possible" mean?

    I would assume it means that you cannot filter within the OpenVPN connection, so you cannot restrict ports that the OpenVPN clients can access. But surely you can still filter what the OpenVPN clients can connect to on your LAN and other networks. These rules are required to get OpenVPN working at all, so there must be some level of control.

    Can anyone please elaborate on this? Thanks.



  • You can control on what port the client connects to the server.
    You cannot control to what clients connect over an established VPN-connection.

    OpenVPN creates a virtual interface over which the VPN traffic flows.
    It is not possible to create firewall rules for this virtual interface.



  • Ahha, I got you. Thanks a lot!



  • @tacfit:

    This question wasn't really answered, and I'd like to hear an answer as well. What EXACTLY does "Filtering of OpenVPN traffic is not yet possible" mean?

    I would assume it means that you cannot filter within the OpenVPN connection, so you cannot restrict ports that the OpenVPN clients can access. But surely you can still filter what the OpenVPN clients can connect to on your LAN and other networks. These rules are required to get OpenVPN working at all, so there must be some level of control.

    Can anyone please elaborate on this? Thanks.

    configure squid and dansguardian on a separate box and route all the web traffic to that box. This way you will get your port and web content filtering.



  • If you do that you could as well do what albertmm did and have a separate openVPN server ;)


Log in to reply