Best practice block local users from accessing VPN

ScottCall · Nov 8, 2019, 7:20 PM

I have a few windows users and their openvpn client auto-reconnects when they come to the office. Both the office firewall and OpenVPN server are the same pfSense installation.

It's a little thing but it bugs me that they are going from Client LAN -> My Public IP -> OpenVPN -> Internet instead of just connecting to the internet from the Client LAN.

It would be easy to block access to our public IP and and port from the client lan but I'm curious if there's a better way to do it (either in pfSense or OpenVPN config).

Thanks

JKnott · Nov 8, 2019, 9:14 PM

@ScottCall

In the OpenVPN server config, there setting for which interface listens for connections. That should be set to WAN.

ScottCall · Nov 8, 2019, 9:22 PM

@JKnott said in Best practice block local users from accessing VPN:

@ScottCall

In the OpenVPN server config, there setting for which interface listens for connections. That should be set to WAN.

It is set to WAN, but they are hitting the WAN address through NAT reflection (I think). NAT Reflection mode for port forwards is set to "Pure NAT" but I'm not sure if applies since OpenVPN isn't a port forward as much as a local daemon.

I don't have any other reflection enabled.

Thanks

JKnott · Nov 8, 2019, 9:25 PM

@ScottCall

Perhaps you cancreate a rule to block access from the LAN. You'd put it on the LAN interface, to block going to the WAN address.

ScottCall · Nov 8, 2019, 9:57 PM

@JKnott said in Best practice block local users from accessing VPN:

@ScottCall

Perhaps you cancreate a rule to block access from the LAN. You'd put it on the LAN interface, to block going to the WAN address.

That was my plan I just wanted to know if there was a more recommended way before I did.

I'll do that.

Thanks
-S