OpenVPN firewall rules?

Jarhead

Trying to limit access to a VPN.
I have a site to site shared key openvpn setup, all working as intended.
I need to restrict access across the vpn to two IP's. From client side to server side. Pass all other client ip's.
Trying to setup some rules to do this but nothing is making any difference. Starting to think the openvpn firewall rules don't apply to site-site, is that the case?
Is it possible to block two ip's from accessing the vpn?

Not worried about people changing ip's or anything like that.
Thanks.

Rico

Firewall Rules are working fine for S2S VPNs, you must have something wrong in your config.
Best is to show us your Setup and Rules via Screenshots.
Do you have the OpenVPN S2S Interface added and configured Firewall Rules there? Common mistake is to still have other Rules like any-any on the OpenVPN group tab....those are processed before the Interface Rules.

-Rico

Jarhead

S2S interface?
Not sure if I need to add the interface but I can try that.
I initially had a RW server setup which created an "openvpn" tab on firewall rules. I was always under the impression that covered all openvpn instances, is that wrong? I then added the s2s instance.
If I add the s2s interface, I'm assuming that would add another firewall rules tab, is that wrong?

Right now I have no rules on the openvpn tab and it still connects fine so there's definitely something wrong.

Rico

You don't need to add the OpenVPN Interface, that is totally optional (https://docs.netgate.com/pfsense/en/latest/book/openvpn/assigning-openvpn-interfaces.html).
The OpenVPN group tab is covering any OpenVPN Instance. As already said, show your configuration.

-Rico

Jarhead

Got it figured out.
Learn something new everyday.
I was testing it by pinging from 3 pc's each on a different network
I would make a new rule, and wait for the pings to stop, they never did. Didn't understand why, then I decided to restart the openvpn service after making a rule and the rule worked.
Didn't think the service would need to be restarted for the rules to apply.

Rico

You don‘t need to restart the service but kill states.

-Rico

Jarhead

Shouldn't have to do either. The states should be reset when creating the rules.

Rico

https://docs.netgate.com/pfsense/en/latest/book/monitoring/firewall-states-reset.html

-Rico