• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Best practice block local users from accessing VPN

Scheduled Pinned Locked Moved OpenVPN
5 Posts 2 Posters 597 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    ScottCall
    last edited by ScottCall Nov 8, 2019, 7:20 PM Nov 8, 2019, 7:13 PM

    I have a few windows users and their openvpn client auto-reconnects when they come to the office. Both the office firewall and OpenVPN server are the same pfSense installation.

    It's a little thing but it bugs me that they are going from Client LAN -> My Public IP -> OpenVPN -> Internet instead of just connecting to the internet from the Client LAN.

    It would be easy to block access to our public IP and and port from the client lan but I'm curious if there's a better way to do it (either in pfSense or OpenVPN config).

    Thanks

    J 1 Reply Last reply Nov 8, 2019, 9:14 PM Reply Quote 0
    • J
      JKnott @ScottCall
      last edited by Nov 8, 2019, 9:14 PM

      @ScottCall

      In the OpenVPN server config, there setting for which interface listens for connections. That should be set to WAN.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      S 1 Reply Last reply Nov 8, 2019, 9:22 PM Reply Quote 0
      • S
        ScottCall @JKnott
        last edited by Nov 8, 2019, 9:22 PM

        @JKnott said in Best practice block local users from accessing VPN:

        @ScottCall

        In the OpenVPN server config, there setting for which interface listens for connections. That should be set to WAN.

        It is set to WAN, but they are hitting the WAN address through NAT reflection (I think). NAT Reflection mode for port forwards is set to "Pure NAT" but I'm not sure if applies since OpenVPN isn't a port forward as much as a local daemon.

        I don't have any other reflection enabled.

        Thanks

        J 1 Reply Last reply Nov 8, 2019, 9:25 PM Reply Quote 0
        • J
          JKnott @ScottCall
          last edited by Nov 8, 2019, 9:25 PM

          @ScottCall

          Perhaps you cancreate a rule to block access from the LAN. You'd put it on the LAN interface, to block going to the WAN address.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          S 1 Reply Last reply Nov 8, 2019, 9:57 PM Reply Quote 0
          • S
            ScottCall @JKnott
            last edited by Nov 8, 2019, 9:57 PM

            @JKnott said in Best practice block local users from accessing VPN:

            @ScottCall

            Perhaps you cancreate a rule to block access from the LAN. You'd put it on the LAN interface, to block going to the WAN address.

            That was my plan I just wanted to know if there was a more recommended way before I did.

            I'll do that.

            Thanks
            -S

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received