OpenVPN - Multi Site Communication



  • Hello,

    I'm a new user of pfSense and I have some questions for you.

    Context:

    I have configured my OpenVPN server (10.2.2.0/24) and disabled the "Allow communication between clients connected to this server".
    The clients are routers (Custom firmware "Tomato") with their local network.
    So let's take:

    Client A: local192.168.20.0/24 - VPN: 10.2.2.2
    Client B: local 192.168.30.0/24 - VPN: 10.2.2.3
    Client C: local 192.168.40.0/24 - VPN: 10.2.2.4

    So, if I connect to my OpenVPN I want to be able to communicate with the machine behind theses router with their local IP (example: ping 192.168.30.10).
    And I want to limit communication between users (example: A can communicate with B, but B can't communicate to A, and C can't communicate to A and B).

    I know there is "Client specific override" who can (maybe) resolve my problem but I need help to how properly configure my server and what's the good way to limit communication between users.

    If you have any questions, feel free to ask me!
    Thanks in advance ;)



  • Disabling "Allow communication between clients connected to this server" prevents all clients form communication with any other.
    You can either allow the inter-client communication or even disable it. It's not possible to set specific rules for each client.

    To achieve what you want, you have to set up at least two vpn servers, one for A and one for B and C, both with an assigned interface.
    However, to get full control over all traffic between the clients, it will be the best way to set up one separate server for each client as a site-to-site. Then assign an interface to each vpn instance.
    Now you have a separate firewall rules tab for each server where you can allow or block what ever you want.



  • @viragomann:

    You can either allow the inter-client communication or even disable it. It's not possible to set specific rules for each client.

    That is true for pf?

    OpenVPN on Linux firewall (netfilter/iptables):
    When inter-client communication is enabled (–client-to-client in config file) there is no way to firewall between clients because packets are routed inside the OpenVPN process so the host never sees those packets and their "true destination". This is true for routed tun, not bridge.

    When inter-client communication is disabled one can make specific firewall rules in the forward chain on tun interface, to allow/drop inter client communication. If pf can do this I do not know.
    Off course this only works reliably when assigning static tunnel IP`s to clients.




  • Thanks for answers

    I'll explain the real situation, I'll have more than 100 clients (router with a local network), so my OpenVPN will give IP to the router.
    Let's take:

    -> Router A: VPN IP 10.2.2.2 | Local network: 24.1.1.0/24
    -> Router B: VPN IP: 10.2.2.3 | Local network: 24.1.2.0/24
    -> Router C: VPN IP: 10.2.2.4 | Local network: 24.1.3.0/24
    ….
    ....
    ....

    So I want to block communication between all router (easy, I just disable the option "Allow communication between client)

    But I'll create user to my OpenVPN (example for my windows computer)
    -> Client A: VPN IP: 10.2.2.40

    And for this client, I need to allow communication to all routers.

    So what can I do?
    Disable "Allow communication between client", and can create specific rules for the user I want to allow communication?
    Make a second server for my users and configure it to communicate to all the clients of the first server? (BUT HOW?)

    Thanks for your help


Log in to reply