Add rules to OpenVPN client interface?



  • How does one implement rules on an openvpn client interface?

    I went to Interfaces -> Assign and selected/enabled the ovpnc interface of interest, and I now see a rules tab for it in the firewall config section.  I've restarted the vpn connection.  Even with no rules (which is a default block), traffic flows without restriction in both directions.

    How do I attach rules to this?



  • A picture of rules might help


  • Netgate

    Rules on the OpenVPN tab are processed first.

    If those rules match or block traffic the interface rules are never reached.

    If you want the assigned interface rules to be controlling, delete/disable all of the rules on the OpenVPN tab.



  • @GoldFish:

    A picture of rules might help

    As I said above, there are no rules on this interface, so it should be a default deny/drop.

    Anyhow, pics of that and the interface assignments attached.

    ![screenshot-dt 2018-01-27 at 1.24.18 PM.png](/public/imported_attachments/1/screenshot-dt 2018-01-27 at 1.24.18 PM.png)
    ![screenshot-dt 2018-01-27 at 1.24.18 PM.png_thumb](/public/imported_attachments/1/screenshot-dt 2018-01-27 at 1.24.18 PM.png_thumb)
    ![screenshot-dt 2018-01-27 at 1.24.46 PM.png](/public/imported_attachments/1/screenshot-dt 2018-01-27 at 1.24.46 PM.png)
    ![screenshot-dt 2018-01-27 at 1.24.46 PM.png_thumb](/public/imported_attachments/1/screenshot-dt 2018-01-27 at 1.24.46 PM.png_thumb)



  • What are the rules in OPENVPN tab?



  • @Derelict:

    Rules on the OpenVPN tab are processed first.

    If those rules match or block traffic the interface rules are never reached.

    If you want the assigned interface rules to be controlling, delete/disable all of the rules on the OpenVPN tab.

    This is intriguing, but isn't that tab only for the OpenVPN server, not the client instances?

    I mean, if I remove the rules on that tab, where do I put rules for the server instance?


  • Netgate

    I mean, if I remove the rules on that tab, where do I put rules for the server instance?

    On the assigned interface for the client or server.

    This is intriguing, but isn't that tab only for the OpenVPN server, not the client instances?

    That tab is an interface group of all OpenVPN instances on the node. Both clients and servers.

    I say again:

    Rules on the OpenVPN tab are processed first.

    If those rules match or block traffic the interface rules are never reached.

    If you want the assigned interface rules to be controlling, delete/disable all of the rules on the OpenVPN tab.



  • @Derelict:

    I mean, if I remove the rules on that tab, where do I put rules for the server instance?

    On the assigned interface for the client or server.

    This is intriguing, but isn't that tab only for the OpenVPN server, not the client instances?

    That tab is an interface group of all OpenVPN instances on the node. Both clients and servers.

    I say again:

    Rules on the OpenVPN tab are processed first.

    If those rules match or block traffic the interface rules are never reached.

    If you want the assigned interface rules to be controlling, delete/disable all of the rules on the OpenVPN tab.

    I know you keep saying, but consider perhaps your understanding is incorrect.

    Right now there's a pass all rule on the OpenVPN server interface.  I have added a "log packets matching…" checkbox on this rule.  There is traffic passing over the OpenVPN client interfaces.  It is not being logged.  Explain why no traffic matches if that rule overrides the client rules (which are still empty, which should be a deny all).

    Also what sense would it make to have interface rules for each client instance if the rules have no effect?


  • Netgate

    Demanding much?

    Post both sets of rules. OpenVPN tab and the assigned interface.

    Describe specifically what is the client and what is the server and what specific traffic you think is misbehaving. Details, like specific addresses and ports.