Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN firewall rules?

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 658 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jarhead
      last edited by

      Trying to limit access to a VPN.
      I have a site to site shared key openvpn setup, all working as intended.
      I need to restrict access across the vpn to two IP's. From client side to server side. Pass all other client ip's.
      Trying to setup some rules to do this but nothing is making any difference. Starting to think the openvpn firewall rules don't apply to site-site, is that the case?
      Is it possible to block two ip's from accessing the vpn?

      Not worried about people changing ip's or anything like that.
      Thanks.

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        Firewall Rules are working fine for S2S VPNs, you must have something wrong in your config.
        Best is to show us your Setup and Rules via Screenshots.
        Do you have the OpenVPN S2S Interface added and configured Firewall Rules there? Common mistake is to still have other Rules like any-any on the OpenVPN group tab....those are processed before the Interface Rules.

        -Rico

        1 Reply Last reply Reply Quote 0
        • J
          Jarhead
          last edited by

          S2S interface?
          Not sure if I need to add the interface but I can try that.
          I initially had a RW server setup which created an "openvpn" tab on firewall rules. I was always under the impression that covered all openvpn instances, is that wrong? I then added the s2s instance.
          If I add the s2s interface, I'm assuming that would add another firewall rules tab, is that wrong?

          Right now I have no rules on the openvpn tab and it still connects fine so there's definitely something wrong.

          1 Reply Last reply Reply Quote 0
          • RicoR
            Rico LAYER 8 Rebel Alliance
            last edited by

            You don't need to add the OpenVPN Interface, that is totally optional (https://docs.netgate.com/pfsense/en/latest/book/openvpn/assigning-openvpn-interfaces.html).
            The OpenVPN group tab is covering any OpenVPN Instance. As already said, show your configuration.

            -Rico

            1 Reply Last reply Reply Quote 0
            • J
              Jarhead
              last edited by

              Got it figured out.
              Learn something new everyday.
              I was testing it by pinging from 3 pc's each on a different network
              I would make a new rule, and wait for the pings to stop, they never did. Didn't understand why, then I decided to restart the openvpn service after making a rule and the rule worked.
              Didn't think the service would need to be restarted for the rules to apply.

              1 Reply Last reply Reply Quote 0
              • RicoR
                Rico LAYER 8 Rebel Alliance
                last edited by

                You don‘t need to restart the service but kill states.

                -Rico

                1 Reply Last reply Reply Quote 0
                • J
                  Jarhead
                  last edited by

                  Shouldn't have to do either. The states should be reset when creating the rules.

                  1 Reply Last reply Reply Quote 0
                  • RicoR
                    Rico LAYER 8 Rebel Alliance
                    last edited by

                    https://docs.netgate.com/pfsense/en/latest/book/monitoring/firewall-states-reset.html

                    -Rico

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.