PFsense OpenVPN Server trafic filtering

neguranegura

Hello, I've searched the forum for an answer to my question, maybe I didn't know what to ask / search, so I'm sorry if this was answered before.

So, my case: I have a campus network with one static WAN IP, and it's users can acces an external website (an articles database site), with this STATIC WAN IP access. So, only the users comming from the campus's static WAN IP can acces this website. Now, with the pandemic and all, the users wanted to acces this website from their homes, so I've setup OpenVPN on my pfsense, and it's working ok. But i do not want all the user's internet traffic routed in and out my campus network, so I was thinking that I should setup Open VPN to route only that specific website, and leave the rest of the users's traffic (windows updates, gaming, whatevs) to the users normal / home connection. I'm not a begginer in PFsense, but I am in OpenVPN So, how can I do that ? I've tried something with an alias, but didn't worked. Thank you.

JKnott

@neguranegura said in PFsense OpenVPN Server trafic filtering:

I'm not a begginer in PFsense, but I am in OpenVPN So, how can I do that ? I've tried something with an alias, but didn't worked. Thank you.

It has nothing to do with OpenVPN. It's just basic routing and filtering. You want rules that will only allow access to the local network(s).

BTW, once it's connected, a VPN is no different than any other IP connection. IP is IP and behaves exactly the same, no matter the underlying tech.

neguranegura

Searching the Internet, I've found this:

with openvpn routes that it can be possible to traffic specific content:

• redirect all default traffic via the VPN
  redirect-gateway def1
• redirect the Intranet network 192.168.1/24 via the VPN
  route 192.168.1.0 255.255.255.0
• redirect another network to NOT go via the VPN
  route 10.10.0.0 255.255.255.0 net_gateway
• redirect a host using a domainname to NOT go via the VPN
  route www.google.ca 255.255.255.255 net_gateway

So, "net_gateway" would be user's internet connection / gateway, while "def1" would be the vpn gateway, in my case, campus network gateway. Can I use this in "Advanced Configuration - Custom options" field to solve my problem ? I was thinking of something like this:

route 172.16.10.0 255.255.255.255 net_gateway
route 52.4.131.46 255.255.255.255

Where 172.16.10.0/24 is my vpn clients network and 52.4.131.46 is the website's ip address.

Rico

So your OpenVPN server would act like a proxy only for one specific website?
Client > OpenVPN RAS > Website
?
I never tried, but it could work to only push the Webserver IP as route to your Clients. Like 172.217.23.110/32

-Rico

viragomann

@neguranegura
Forget the Custom options stuff, that's all obsolete.

Pushing the route to the clients is done by the "Local networks" option. Insert networks here wich you want your clients to reach over the VPN.

So in your case, uncheck "Redirect gateway" and enter, or add if allready any there

52.4.131.46/32

into "Local networks".

If you've not allready done, you have to add an outbound NAT rule for the VPN tunnel subnet.

neguranegura

@Rico : kinda yes, it was more a proxy problem. I did look into this option, setting pfsense as a proxy, but it looked a bit more complicated. Plus the hussle of settings that proxy in 10 to 30 computers, so i turn to vpn. Btw, that specific website is outside my campus network, not inside it.

@viragomann : thanks, I will try that tonight

neguranegura

@viragomann: it doesn't work. The website needed for acces is "https://rilm.org", I did a hostname to IP, hoping that it will be enough, but it wasn't. So I need something where I can enter a hostname.

viragomann

Routing doesn't work with hostnames. You need to enter a network as mentioned.

Is the IP address of the webserver dynamic or why else do you want to state the hostname for that?

neguranegura

@viragomann i don't think it's dynamic, but if I enter 52.4.131.46 (the ip address found with hostname to ip) instead of the "https://rilm.org/" in the browser it does not work, some nginx web server interface appears, so most probably there are some configurations in place.

viragomann

Dude, of course you have to enter the URL in the browser.
But you have to enter the network (52.4.131.46/32) into the "IPv4 Local networks" box in the OpenVPN server settings to push the route for that IP to the clients.

neguranegura

No, I was talking about that maybe ip address "52.4.131.46" not beeing the right one for the website, for "https://rilm.org" So i've setup the things like u've said, and after that i've got no internet access, which is a good thing, but it also cuts access to "https://rilm.org", which is a bad thing. The only thing working in browser, going somewhere, is "52.4.131.46", and it reaches that nginx test page that I was talking about. So, it looks more like a DNS problem now. The DNS's entered here in options are Google's public ones. I've also tried push "route 192.168.1.0 255.255.255.0" in Advanced Config, to no avail.