How to prevent OpenVPN clients from accessing local IP addresses?

pfguy2018 · Aug 3, 2018, 12:06 PM

I have OpenVPN up and running. I would like to prevent OpenVPN clients from connecting any local IP addresses (except for the local gateway to provide DNS on port 53), and only allow the clients to connect back out to the web. What rule do I need for this, and which interface does it belong in?

NogBadTheBad · Aug 3, 2018, 12:12 PM

Do they get IP addresses in your LAN range ?

pfguy2018 · Aug 3, 2018, 12:19 PM

No, a completely different subnet. (LAN is 192.168.x.x, OpenVPN clients are assigned 10.0.x.x, DNS server would be 192.168.x.1 (edit - DNS could also be reachable at 10.0.x.1))

NogBadTheBad · Aug 3, 2018, 12:49 PM

Here's what I do with IPSec:-

I hand out specific IP addresses to various users via FreeRadius.

n_ipsec_trusted = 172.16.8.0/25

n_ipsec_non_trusted = 172.16.8.128/25

pfguy2018 · Aug 3, 2018, 12:57 PM

I already have similar rules on the OpenVPN rules tab, but the rules do not seem to block as intended, and local access is still happening. Here is what I have:

("Local" alias is all my local subnets other than the OpenVPN subnet)

Any suggestions?

NogBadTheBad · Aug 3, 2018, 1:46 PM

Whats the Advanced filter rule at the bottom doing ?

Also why the gateway, do you have a multi wan set-up?

pfguy2018 · Aug 3, 2018, 1:51 PM

The only advanced option is the gateway - WAN_DHCP. I am not using a multiwan setup, but there are several outgoing OpenVPN clients. I think I stuck the gateway in there to make sure the connection went out over the WAN connection rather than the OpenVPN client connections. Is that somehow causing the issue?

NogBadTheBad · Aug 3, 2018, 1:56 PM

@pfguy2018

Not sure but there is no need if you have a single wan connection.

try enabling logging on your rules and see what rule is being hit.

pfguy2018 · Aug 3, 2018, 5:52 PM

Turns out my rules work, for the most part. I was testing the connection by connecting to the VPN through my home network. When I connected outside my home lan, the rules worked as intended - DNS provided by the pfSense box, no other connections with the local subnets permitted. I am not sure why the connections were permitted when I originated from the home lan, but this is of little concern, as I would not normally be using a VPN when I am already on the network to which I am trying to connect.

NogBadTheBad · Aug 3, 2018, 5:59 PM

@pfguy2018 said in How to prevent OpenVPN clients from accessing local IP addresses?:

Turns out my rules work, for the most part. I was testing the connection by connecting to the VPN through my home network. When I connected outside my home lan, the rules worked as intended - DNS provided by the pfSense box, no other connections with the local subnets permitted. I am not sure why the connections were permitted when I originated from the home lan, but this is of little concern, as I would not normally be using a VPN when I am already on the network to which I am trying to connect.

By the sound of things you've set it up as a split tunnel.

Derelict · Aug 4, 2018, 2:18 PM

I am not sure why the connections were permitted when I originated from the home lan

@pfguy2018 Because the local LAN was a local subnet to the host. That traffic won't go out the VPN, but straight out the interface.

pfguy2018 · Aug 4, 2018, 2:23 PM

I get that. But the client was also able to access vlans on different subnetd when connected to the VPN server while originating from a home vlan. That is what confused me. (As noted earlier, this does not occur if connecting to the VPN server from outside the home)