PFsense OpenVPN Server trafic filtering
-
@neguranegura said in PFsense OpenVPN Server trafic filtering:
I'm not a begginer in PFsense, but I am in OpenVPN So, how can I do that ? I've tried something with an alias, but didn't worked. Thank you.
It has nothing to do with OpenVPN. It's just basic routing and filtering. You want rules that will only allow access to the local network(s).
BTW, once it's connected, a VPN is no different than any other IP connection. IP is IP and behaves exactly the same, no matter the underlying tech.
-
Searching the Internet, I've found this:
with openvpn routes that it can be possible to traffic specific content:
- redirect all default traffic via the VPN
redirect-gateway def1 - redirect the Intranet network 192.168.1/24 via the VPN
route 192.168.1.0 255.255.255.0 - redirect another network to NOT go via the VPN
route 10.10.0.0 255.255.255.0 net_gateway - redirect a host using a domainname to NOT go via the VPN
route www.google.ca 255.255.255.255 net_gateway
So, "net_gateway" would be user's internet connection / gateway, while "def1" would be the vpn gateway, in my case, campus network gateway. Can I use this in "Advanced Configuration - Custom options" field to solve my problem ? I was thinking of something like this:
route 172.16.10.0 255.255.255.255 net_gateway
route 52.4.131.46 255.255.255.255Where 172.16.10.0/24 is my vpn clients network and 52.4.131.46 is the website's ip address.
- redirect all default traffic via the VPN
-
So your OpenVPN server would act like a proxy only for one specific website?
Client > OpenVPN RAS > Website
?
I never tried, but it could work to only push the Webserver IP as route to your Clients. Like 172.217.23.110/32-Rico
-
@neguranegura
Forget the Custom options stuff, that's all obsolete.Pushing the route to the clients is done by the "Local networks" option. Insert networks here wich you want your clients to reach over the VPN.
So in your case, uncheck "Redirect gateway" and enter, or add if allready any there
52.4.131.46/32
into "Local networks".
If you've not allready done, you have to add an outbound NAT rule for the VPN tunnel subnet.
-
@Rico : kinda yes, it was more a proxy problem. I did look into this option, setting pfsense as a proxy, but it looked a bit more complicated. Plus the hussle of settings that proxy in 10 to 30 computers, so i turn to vpn. Btw, that specific website is outside my campus network, not inside it.
@viragomann : thanks, I will try that tonight
-
@viragomann: it doesn't work. The website needed for acces is "https://rilm.org", I did a hostname to IP, hoping that it will be enough, but it wasn't. So I need something where I can enter a hostname.
-
Routing doesn't work with hostnames. You need to enter a network as mentioned.
Is the IP address of the webserver dynamic or why else do you want to state the hostname for that?
-
@viragomann i don't think it's dynamic, but if I enter 52.4.131.46 (the ip address found with hostname to ip) instead of the "https://rilm.org/" in the browser it does not work, some nginx web server interface appears, so most probably there are some configurations in place.
-
Dude, of course you have to enter the URL in the browser.
But you have to enter the network (52.4.131.46/32) into the "IPv4 Local networks" box in the OpenVPN server settings to push the route for that IP to the clients. -
No, I was talking about that maybe ip address "52.4.131.46" not beeing the right one for the website, for "https://rilm.org" So i've setup the things like u've said, and after that i've got no internet access, which is a good thing, but it also cuts access to "https://rilm.org", which is a bad thing. The only thing working in browser, going somewhere, is "52.4.131.46", and it reaches that nginx test page that I was talking about. So, it looks more like a DNS problem now. The DNS's entered here in options are Google's public ones. I've also tried push "route 192.168.1.0 255.255.255.0" in Advanced Config, to no avail.