Restrict RA user traffic



  • Greetings,

    I have configured OpenVPN Remote Access (RA) service in my pfSense cluster with "IPv4 Tunnel Network" 10.99.99.0/24. I tested this VPN with the user I have, all works just fine: I obtain 10.99.99.2/24 address and received specifics from the tunnel, VPN traffic works fine.

    MacBook:~ jamal$ netstat -nr
    Routing tables
    
    Internet:
    Destination        Gateway            Flags        Refs      Use   Netif Expire
    default            192.168.2.1        UGSc          111        0     en0       
    10.0.11/24         10.99.99.1       UGSc            0        0   utun1       
    10.1/16            10.99.99.1       UGSc            0        0   utun1       
    10.99.99/24      10.99.99.2       UGSc            3        0   utun1       
    10.99.99.2       10.99.99.2       UH              1        0   utun1       
    127                127.0.0.1          UCS             0        0     lo0       
    

    Then I decided to restrict a user called "vpnuser" with a certain IPs he can access. For that purpose in a "Client Specific Overrides" tab I created an entry with "vpnuser" as a CN and "IPv4 Tunnel Network": 10.99.99.100/30. Then I was going to create an Firewall Rule in "OpenVPN" tab to restrict the user matching its source IP. But when I tested a "vpnuser" access I obtained 10.99.99.100 IP address on utun1 interface, but taffic ain't passed a tunnel:

    MacBook:~ jamal$ netstat -nr
    Routing tables
    
    Internet:
    Destination        Gateway            Flags        Refs      Use   Netif Expire
    default            192.168.2.1        UGSc          113        0     en0      
    10.0.11/24         10.99.99.1       UGSc            0        0     en0   
    10.1/16            10.99.99.1       UGSc            0        0     en0       
    10.99.99.100     10.99.99.100     UH              0        0   utun1       
    127                127.0.0.1          UCS             0        0     lo0       
    
    MacBook:~ jamal$ ping 10.0.11.3
    PING 10.0.11.3 (10.0.11.3): 56 data bytes
    ping: sendto: Network is unreachable
    ping: sendto: Network is unreachable
    Request timeout for icmp_seq 0
    

    I think the problem is in local routing, what could be a reason of such issue? If I delete "Client Specific Overrides" entry for vpnuser I obtain address from 10.99.99.0/24 subnet and ping goes well.



  • @shshs - try changing the tunnel network on the client override to 10.99.99.100/24. If you mask /30 I don't think you'll be able to reach the tunnel gateway at 10.99.99.1.



  • I setup network type as "net30" instead of "subnet" and all works. Thank you, you can close the thread.


Log in to reply