Two servers, want one to have no LAN access



  • objective:

    One OpenVPN server should be able to pass client through to internet only with no LAN access, the other allows access to LAN and pass through to internet

    Problem:

    Two OpenVPN tun servers: Both allow access to the local LAN and pass through to the internet

    Description

    I have 2 tun OpenVPN servers. I have tried lots of server variations to set it up so 1 is simply for secure remote internet browsing with no LAN access and the other allows LAN access. I can't figure out what needs to be done to prevent server 1 access to the LAN. I'm tired of testing things as I need to get out onto a remote network for each test.

    What simple thing am I missing.

    Thanks in advance.

    Not to be rude, but, please, only if you know the answer. I have already tried the local network box on the server config. It allows LAN access if filled in or not, and even if it's filled in with a fictitious network. I'm sure it's a firewall entry or something simple like that.



  • Some details about your setup would help to narrow down the problem.

    So in theory, lets say servers A clients should have access to LAN and internet, clients on server B should only have internet access.

    A (LAN + internet) tunnel network: 10.0.10.0/24
    B (internet) tunnel network: 10.0.20.0/24
    LAN: 192.168.1.0/24

    On both server check the "Redirect gateway" option, so there's no need to set a "local network". This pushes the default route to the clients which is needed for internet access.

    Then simply set a firewall block rule for B on the OpenVPN interface above the default allow rule. So the OpenVPN rule set should look like this:

    block IPv4+6* 	10.0.20.0/24 	* 	192.168.1.0/24 	* 	* 	none 	  block B from LAN
    pass IPv4+6* 	* 	* 	* 	* 	* 	none 	  allow internet
    

    If you have multiple internal networks or intend to change something in the future it will be a good advice to add an alias containing all RFC 1918 networks in Firewall > Aliases and use this one in the destination field in the block rule. So clients are blocked from any private address.



  • @viragomann:

    Some details about your setup would help to narrow down the problem.

    So in theory, lets say servers A clients should have access to LAN and internet, clients on server B should only have internet access.

    A (LAN + internet) tunnel network: 10.0.10.0/24
    B (internet) tunnel network: 10.0.20.0/24
    LAN: 192.168.1.0/24

    On both server check the "Redirect gateway" option, so there's no need to set a "local network". This pushes the default route to the clients which is needed for internet access.

    Then simply set a firewall block rule for B on the OpenVPN interface above the default allow rule. So the OpenVPN rule set should look like this:

    block IPv4+6* 	10.0.20.0/24 	* 	192.168.1.0/24 	* 	* 	none 	  block B from LAN
    pass IPv4+6* 	* 	* 	* 	* 	* 	none 	  allow internet
    

    If you have multiple internal networks or intend to change something in the future it will be a good advice to add an alias containing all RFC 1918 networks in Firewall > Aliases and use this one in the destination field in the block rule. So clients are blocked from any private address.

    Thanks. That seems like a great idea.

    I'll try the firewall modification. Using the 10.x.x.x network in a firewall rule didn't occur to me. The OpenVPN interface was also a mystery to me. I couldn't figure out exactly what it was for since the WAN  interface contains the OpenVPN ports. Some pfSense documentation is beyond great. Some other parts leave out about 1/2 of what you need to know and implies an attitude if you don't get it.

    I've checked and unchecked all manner of boxes on the server config. None of it alone worked to solve my problem. Thus, my need to get a new idea such as yours and not read helpful suggestions of things people thought they might have heard somewhere.

    RE: info about my setup

    Two simple, ordinary OpenVPN tun servers, both created with the wizard. The only possible odd thing is the enhanced security - each server has a different certificate set and the user must match the certificate on the device for that server. Other than that, they're plain vanilla.

    EDIT: next day after testing

    Thank you. Easy peasy. It worked perfectly. It connected easily. My IP address was my home IP address. I could browse the internet. I could not connect to my file server. I'll test more later but I don't expect any issues.



  • The networks I mentioned were only an example to explain the needed settings, since you didn't offer your settings.  So that you can differ the clients in firewalll rules.
    @viragomann:

    The OpenVPN interface was also a mystery to me

    Which OpenVPN interface? The OpenVPN tab in the firewall rules? Or have you added additional interfaces? Assigning interfaces to the OpenVPN instances should not be necessary for your purposes.

    Since your clients on both servers have already access to all, you only need a firewall rule on the OpenVPN tab to block that group that should not get access to LAN.



  • @viragomann:

    The networks I mentioned were only an example to explain the needed settings, since you didn't offer your settings.  So that you can differ the clients in firewalll rules.
    @viragomann:

    The OpenVPN interface was also a mystery to me

    Which OpenVPN interface? The OpenVPN tab in the firewall rules? Or have you added additional interfaces? Assigning interfaces to the OpenVPN instances should not be necessary for your purposes.

    Since your clients on both servers have already access to all, you only need a firewall rule on the OpenVPN tab to block that group that should not get access to LAN.

    which interface: My mistake. The firewall/rules/openvpn tab was what I was referencing.  Still, until your post, the purpose was unclear and is still a little unclear since the WAN tab allows opens the OpenVPN ports in use.

    I understand the overall meaning of your post and will apply my configuration to it when I have time to test it.

    Since I assume my problem is a common one it would be nice if it were posted somewhere official and easy to find. pfSense is one of the few routers that support multiple OpenVPN instances. And, off point, pfBlockerNG makes it unique in that no other router allows black list management like it.


  • LAYER 8 Netgate

    The OpenVPN tab is for connections coming into the firewall via OpenVPN from sites across the tunnel(s).

    The rule on the WAN tab is for establishment of the OpenVPN tunnel itself.



  • @Derelict:

    The OpenVPN tab is for connections coming into the firewall via OpenVPN from sites across the tunnel(s).

    The rule on the WAN tab is for establishment of the OpenVPN tunnel itself.

    Thanks. I was beginning to suspect something like this, but an explicit definition is great.

    FYI: I want to have one server, the pass through one, for use by people who only need remote  private internet access without the odd questions that sometimes appear when an IP address comes from a commercial VPN, such as with Amazon when making a purchase. No local LAN access needed. I can use an auto connect file for that without worries. The separate user certificate for each server allows me to lock it off if a device is lost or stolen.

    The other server is for full access, such as windows remote desktop via LAN only or a remote file server via LAN only.

    I'm at the level that the OpenVPN wizard is needed and appreciated, short of detailed accurate instructions. Using OpenVPN is a useful tool, not my life's work.

    This must, or should be, a common problem. I was surprised to find out it was not clearly defined as such. I originally thought using the local lan box on the server config handled this, but it didn't. Even creating a fictitious LAN for that box permitted local LAN access.

    Some kind of formalized instruction would be useful by lots of people, especially if it were geared towards the intermediate user - someone who can look things up providing they know/are told what to look up and providing an answer is actually available somewhere. Better than that would be fantastic.


  • LAYER 8 Netgate

    I would:

    Assign interfaces to both OpenVPN servers

    Place rules that reject the traffic you want rejected (to LAN, to this firewall, etc) on the tab for the server you want to limit
    Place a rule that passes any after that (any = the internet)

    Do the same for the rules for the other VPN server but pass/reject the traffic you want passedrejected from those clients.

    Remove all rules from the OpenVPN tab


  • LAYER 8 Global Moderator

    "some pfSense documentation is great and some is lacking a bit"

    I would suggest you buy the book, or get gold so you have access to the html and pdf, epub and mobi version of the book.. Gold also gives you access to the hangouts which go over lots of different subjects and gold gives you access to all the previous hangouts.

    Keep in mind the some of the docs are really put together by other users - its a wiki..  My understanding is it not meant to be "official" documentation.. I have access and previous you could request access and put up doc's on subjects you felt needed help and if passed peer review would stay, etc..  I am not sure if they are currently allowing new wiki author access?

    if you would like clarification on some aspect of how pfsense works in a specific manner - post up your question and many helpful people here to clarify how something works in relation to your context, etc.



  • @Derelict:

    I would:

    Assign interfaces to both OpenVPN servers

    Place rules that reject the traffic you want rejected (to LAN, to this firewall, etc) on the tab for the server you want to limit
    Place a rule that passes any after that (any = the internet)

    Do the same for the rules for the other VPN server but pass/reject the traffic you want passedrejected from those clients.

    Remove all rules from the OpenVPN tab

    Thanks. I tried this and got lost along the way.

    Using the OpenVPN rules tab as described further above worked great. I just tested it and it worked well. It was a 1 line entry.



  • "I would suggest you buy the book,"

    Went looking for it. Without digging a lot, the only reference to a book for the current pfSense required a gold subscription, at $99/year.

    I would consider buying a book, but not buy access to a book for $99/yr. Ridiculous.


  • LAYER 8 Global Moderator

    You get more than just the book for the gold.. But the html version is $24.70

    https://portal.pfsense.org/members/signup/html-book

    Shoot Derelict has a link to it in his sig ;)

    A google for pfsense book, first hit is https://www.netgate.com/blog/pfsense-book-now-available-for-purchase.html

    Which links to the gold way to get it or the html (standalone)..



  • @johnpoz:

    You get more than just the book for the gold.. But the html version is $24.70

    https://portal.pfsense.org/members/signup/html-book

    Shoot Derelict has a link to it in his sig ;)

    A google for pfsense book, first hit is https://www.netgate.com/blog/pfsense-book-now-available-for-purchase.html

    Which links to the gold way to get it or the html (standalone)..

    You're right. I tool a 2nd look at the link and saw the stand alone version available via HTML and if you sign in to read it. Thanks.


  • Galactic Empire


Log in to reply