1.2.3 RC1: OpenVPN Filtering
-
Is this the new way to do with 1.2.3+ going forward? I am setting up a site-to-site vpn in the traditional sense, and although the tunnel comes up, routing is getting block for clients on either side of the tunnel. I verified all configs several times (a very simple setup using a shared key). The routing table is correct, openvpn options set. This used to work prior to 1.2.3… I am guessing that configuring the interfaces and creating some allow rules is what is needed. Anyone else experience this?
-
Is this the new way to do with 1.2.3+ going forward? I am setting up a site-to-site vpn in the traditional sense, and although the tunnel comes up, routing is getting block for clients on either side of the tunnel. I verified all configs several times (a very simple setup using a shared key). The routing table is correct, openvpn options set. This used to work prior to 1.2.3… I am guessing that configuring the interfaces and creating some allow rules is what is needed. Anyone else experience this?
The filtering is not required, and would only happen if you assigned the interface as was done by hand using instructions from this thread.
If you did not assign the tun0 interface yourself as others have done here,you have a different problem and should start a new thread for your issue.
-
Hello,
about this topic, i just want to know something :
when i setup openvpn + iptables on a classic install (not pfsense…example : debian setup) :
i can do the following :
the range 10.8.0.0 just can browse the local network
the range 10.8.1.0 can "go outside to internet" by the openvpn gateway
this OPT config will permit me to make this type of filtering ?
Indeed, i have two users types :
-
ones that only has to work on servers via vpn
-
others that also need to surf on internet
for the two, i apply the "push redirect-gateway def1" directive.
And i fear to block the second group if i go on openvpn/pfsense.
Sincerely
-
-
I don't managed to do it within pfSense…
But i'm lucky and, hopefully, it's enough for my needs :
my pfSense box is behind a main gateway.
In this main gateway, i could filter the openvpn range to block the internet browsing since this range....
But, i have other pfSense boxes with the port WAN directly connected behind the DSL modem.... and really don't know how to do it in this situation...
Thank you,
Sincerely,
-
one detail :
i could do this because the openvpn traffic goes out by the wan interface and, at the main gateway level, i could block the openvpn range…
well, it works...
but i can't understand the pfsense faq (well i know that anyone has to rtfm a lot before posting ;D ) :
"For OpenVPN if you want the OpenVPN subnet NAT'ed to WAN, you will have to use AON."
I never enabled AON and the openvpn traffic automatically want out via WAN (what permitted me to block the openvpn range ate the main gateway)…
Or perhaps i didn't understand what the faq wanted to mean ;)
Sincerely,
-
The automatic NAT rules:
NAT all private subnets which are directly reachable (local NICs) or defined via a static route, to the WAN.
Except for OpenVPN.If you want to access the internet over the OpenVPN connection via the pfSense, you need to NAT the OpenVPN subnet to the WAN.
This doesnt happen automatically, so you need to create a rule manually.What you describe:
You have another router in front of the pfSense which does the NATing for you. -
Let me verify that i've well understood :
by default, any openvpn traffic can't go outside via the wan….
i've managed it because of the main gateway, plugged to the wan port, doing it for me ??
two last points :
-
in a classic configuration (pfsense wan => isp modem), i can do it but need to enable AON (and if i undestood the documentation, enabling AON impacts all the rest and i need to manually edit outbound nat for each traffic ?) ?
-
in pfSense 2.x : an openvpn interface will appear (as ipsec and pptp have), won't it ? if so, no more need to enable AON (well, playing a little with fw rules on the openvpn interface) ?
Thank you very much for this explanation,
Sincerely,
-
-
This is great news, I was desperate for OpenVPN filtering. Only issue is when I add the interface described in step 2 the DHCP service stops and refuses to start. After a short while I get the message "XML error: OPTXXXX at line 123 cannot occur more than once" when opening the webinterface and I'm locked out until I manually modify the XML file and remove the interface.
any thoughts? I'm running pfSense-1.2.3-4g-20090721-2324-nanobsd.img.gz on ALIX.
UPDATE, I've tried this again and it seems to be working now. GREAT STUFF
-
To be stickyed !
-
- Go to Interfaces > OPTx (you just created) and assign an IP. I typically use the IP address that OpenVPN defaults to when you first create your VPN (x.x.x.1). I've used both /24 and /32 as the subnet with success. I agree with jimp that you could probably put anything in here.
You should actually set this to "none" here instead. It's a shortcut that will just not assign an IP, instead of using an invalid one.