Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN for specific clients + kill switch

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 4 Posters 1.4k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z Offline
      zxarr
      last edited by

      Good day,

      I'm new with pfsense, but not firewalls in general. I'm attempting to allow specific hosts VPN only access to the internet, while the remainder of hosts continue to use the default gateway to the ISP. Currently I have an alias with the list of hosts, and a LAN Firewall Rule sending all traffic onto the VPN. This is successful.

      However, if the VPN disconnects all traffic from the VPN_hosts switches back to the default gateway.

      I've attempted adding the following rules:
      a floating rule that blocks all traffic from the VPN_hosts to the WAN.
      a WAN rule that blocks all traffic from the VPN_hosts to the WAN
      a LAN rule below the VPN allow rule that blocks traffic from the VPN_hosts to any WAN net

      I'm a bit at a loss at the moment as to why this isn't working.

      K 1 Reply Last reply Reply Quote 0
      • RicoR Offline
        Rico LAYER 8 Rebel Alliance
        last edited by

        OpenVPN Kill Switch: https://forum.netgate.com/topic/67692/openvpn-kill-switch/6

        -Rico

        1 Reply Last reply Reply Quote 0
        • K Offline
          Konstanti @zxarr
          last edited by Konstanti

          @zxarr
          Hey
          You can try to implement this scheme
          We assume that the tunnel is for OpenVPN
          firewall/rules/lan / pbr rule for vpn_hosts
          Add tag vpn_hosts
          0_1547993727043_a87645a6-7459-4c0a-9813-8856996e1217-image.png
          save/exit
          firewall/rules/floating
          Firewall > Rules, Floating tab

          Action: Reject or Block
          Disabled: unchecked
          Quick: checked
          Interface: WAN
          Direction: out
          TCP/IP Version: IPv4
          Protocol: any
          Source: any
          Destination: any
          Destination port range: any
          Advanced options
          Tagged: vpn_hosts

          Thus , all traffic tagged vpn_hosts through the openvpn interface leaves no restriction .
          and if the traffic tagged vpn_hosts gets to the wan interface, it is blocked

          Z 1 Reply Last reply Reply Quote 1
          • Z Offline
            zxarr @Konstanti
            last edited by

            @konstanti Looks like tagging the traffic did the trick. Disconnecting from OpenVPN kills internet connectivity to the hosts in VPN_hosts alias, while all other hosts have normal ISP connection.

            Thanks!!

            1 Reply Last reply Reply Quote 0
            • J Offline
              John2893ax
              last edited by John2893ax

              Hello.

              When I build tunnel in tunnel with OpenVPN clients

              For example:

              VPN1 (Remote IP 10.10.10.10) Remote Network(s): 11.11.11.11/32
              VPN2 (Remote IP 11.11.11.11) Remote Network(s): 12.12.12.12/32
              VPN3 (Remote IP 12.12.12.12)

              How do I set up a KillSwitch that first lets VPN1 through, then VPN2 and finally VPN3?

              Greetings

              John

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.