• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How to restrict OpenVPN traffic

Scheduled Pinned Locked Moved OpenVPN
15 Posts 5 Posters 1.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Q
    qwaven
    last edited by qwaven Sep 5, 2020, 6:08 PM Sep 5, 2020, 6:01 PM

    Hi there,

    I am wondering if someone is able to help me understand how I can restrict incoming OpenVPN remote access traffic.

    I literally just want to have a remote VPN connection that only is able to use my WAN/internet. I do not want any access other than that working and should be actively denied.

    I ran the wizard to create the configuration for remote access. This seems fine, I can connect fine.

    During the wizard I left out the option to push any networks. I selected the option to tunnel all traffic through the VPN and provided an external DNS server.

    I let it create the firewall rules which did not work. There seems to be a separate issue with my firewall that rules on my WAN interface do not work. I need to create floating rules for them to take effect. Any ideas? I can live with this for now.

    I've tried creating block rules on the OpenVPN interface and floating rules on all interfaces to deny traffic but nothing seems to actually work.

    I open my browser and type one of my internal firewall interface IP's I can reach my firewall login page just fine. (not desired)

    It does appear that this is the only thing accessible. I do not believe internal servers past the firewall are reachable. (this is desired)
    It is possible that is because I am not pushing the route. ?

    Anyway hoping someone can help me understand how to control access from users being able to reach the firewall management page as well as perhaps being able to put more granular rules in later.

    Cheers!

    V 1 Reply Last reply Sep 6, 2020, 3:34 PM Reply Quote 0
    • V
      viragomann @qwaven
      last edited by Sep 6, 2020, 3:34 PM

      @qwaven said in How to restrict OpenVPN traffic:

      I let it create the firewall rules which did not work. There seems to be a separate issue with my firewall that rules on my WAN interface do not work. I need to create floating rules for them to take effect. Any ideas? I can live with this for now.

      There is no need to handle that by floating rules.
      Don't know, what you have done, so no way to estimate.

      @qwaven said in How to restrict OpenVPN traffic:

      but nothing seems to actually work.

      Can you specify the issue?

      Basically that's quiet simple:

      @qwaven said in How to restrict OpenVPN traffic:

      I selected the option to tunnel all traffic through the VPN and provided an external DNS server.

      That's on part.

      Assuming you're only using RFC1918 networks internally, add an alias, call it RFC1918 and add all RFC1918 networks to it.
      Then add a firewall pass rule to the proper OpenVPN interface, set the protocol to TCP/UDP or any if needed, at destination check "invert match" and enter the RFC1918 alias.
      This rule then will allow access to any but RFC1918. Remove all other rules from that tab. Done.

      However, you have to consider:
      Floating rules or rules on the OpenVPN tab (interface group) have priority over rules on an interface tab. So you have to care that such rules don't match if you have present some.
      The OpenVPN tab is an interface group containing all OpenVPN instances (servers and clients) you're running. So if you're running multiple instances you may have to assign interfaces to them to set distinct rules for them.

      1 Reply Last reply Reply Quote 0
      • Q
        qwaven
        last edited by qwaven Sep 6, 2020, 4:57 PM Sep 6, 2020, 4:54 PM

        Hi viragomann,

        Thanks for the reply.

        Will try and answer your questions.

        In regards to floating rules. There is likely something else going on with the firewall. I had a previous issue where NAT redirects would not work until I created a floating rule. I never got an answer to why but I suspect the same reason is why I needed to create floating rules for OpenVPN.

        I have no idea where to look/investigate this further. I don't have a lot going on firewall wise. Happy to post more if you think it should be investigated more.

        To clarify in terms of OpenVPN.
        I disabled the automatically generated openvpn rule found on the WAN interface. (as it was doing nothing)
        I created basically a copy of it but as a floating rule

        tcpv4, any source, any port, dest WAN Address, port 1194 (OpenVPN), ...rest are default/empty


        Previously I did not have a VPN specific interface assigned.
        When I tried to create one. The firewall seems to have treated it as the main LAN interface and put the anti lockout rules there. ??
        I removed it. Created a dummy interface called LAN. The same anti lockout rules were added.
        I created, again the VPN interface, no anti lockout this time.
        Noticed my VPN stopped working completely, well I can connect to it, but I cannot go anywhere.
        Added a rule to permit ipv4. from myvpn subnet, to any dest, any port
        Still cannot do anything.

        Yes to clarify the VPN users are assigned a 192... address.

        Any ideas?

        Thanks!

        B 1 Reply Last reply Sep 6, 2020, 5:04 PM Reply Quote 0
        • B
          Bob.Dig LAYER 8 @qwaven
          last edited by Bob.Dig Sep 6, 2020, 5:11 PM Sep 6, 2020, 5:04 PM

          @qwaven So pfSense is not your main Router but probably in a NAT Situation behind a private network?

          Q 1 Reply Last reply Sep 7, 2020, 12:04 AM Reply Quote 0
          • Q
            qwaven @Bob.Dig
            last edited by Sep 7, 2020, 12:04 AM

            @Bob-Dig said in How to restrict OpenVPN traffic:

            @qwaven So pfSense is not your main Router but probably in a NAT Situation behind a private network?

            Thanks for the reply. No, PFSense is the only router/firewall

            Cheers!

            1 Reply Last reply Reply Quote 0
            • Q
              qwaven
              last edited by Sep 9, 2020, 2:25 PM

              Any further thoughts?

              1 Reply Last reply Reply Quote 0
              • J
                JeGr LAYER 8 Moderator
                last edited by JeGr Sep 9, 2020, 3:25 PM Sep 9, 2020, 3:20 PM

                @qwaven said in How to restrict OpenVPN traffic:

                In regards to floating rules. There is likely something else going on with the firewall. I had a previous issue where NAT redirects would not work until I created a floating rule. I never got an answer to why but I suspect the same reason is why I needed to create floating rules for OpenVPN.

                Then you have bigger issues. There's no reason why some NAT redirect would require a floating rule.

                I disabled the automatically generated openvpn rule found on the WAN interface. (as it was doing nothing)

                Em.. yes it is. It allows access to the OpenVPN server from the internet? If you don't have that one, how the hell should one connect to your OVPN Server on pfSense from the outside world?

                I created basically a copy of it but as a floating rule

                you shouldn't. That's bonkers. The rule was created there for a reason (by the wizard I assume).

                tcpv4, any source, any port, dest WAN Address, port 1194 (OpenVPN), ...rest are default/empty

                Why TCP? OVPN is UDP by default.

                Without showing screenshots of your configuration, there'll be nothing we can do to help rather then guessing as you don't provide that much intel about your configuration, setup and rules.

                I'd need at least

                • WAN Interface config
                • Interface assignment (do you have OVPN interfaces assigned)
                • NAT - Port Fordwards, Outbound NATs and 1:1 NATs to narrow down problems
                • Rules - Rules from Float, WAN, OpenVPN & if you have an ovpn interface assigned that one too
                • OVPN server configuration

                I think that's it. Without that, all other help is like reading a magic-8-ball. :)

                Cheers
                \jens

                Edit:

                When I tried to create one. The firewall seems to have treated it as the main LAN interface and put the anti lockout rules there. ??

                I removed it. Created a dummy interface called LAN. The same anti lockout rules were added.

                I created, again the VPN interface, no anti lockout this time.

                I read that only after I sent my message. WTF? You don't have a LAN configured? You only have a WAN? You said earlier in the thread, that pfSense is your only router. So how are you running a "router" of any kind, if you didn't have a LAN setup before and your WAN was the only interface? What are you trying to build here? No wonder you had problems with redirects and such, if you didn't have a LAN configured. There's some red bold help text that reads "without having a LAN, pfSense is NOT ROUTING anything". So by adding the VPN interface you activated routing mode for the first time. Before PF was NOT active at all as there was no second interface to route with. So it's no wonder you have that all configured backwards.

                Are you trying to setup pfSense as a VPN-Gateway kind of thing like your own external VPN access provider? Then you'd have to go a slightly different route to set it up in the first place. The "dummy"-LAN isn't such a bad idea then after all, but that kinda setup needs a bit more fine-tuning. It's possible but not "run out of the box" kind of easy.

                Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                1 Reply Last reply Reply Quote 0
                • Q
                  qwaven
                  last edited by Sep 9, 2020, 4:22 PM

                  Hi JeGr,

                  Thanks for the reply.

                  Yes it does seem like there is something else not working properly with the firewall rules. I never was able to understand why my PFSense is acting this way. Previously I had tried to open ports w/ NAT to two identical servers and was never able to get that working with the auto generated rules. Currently they are working fine with either NAT Pass (no rule) or floating rules. ---but this is kinda a different topic.

                  Same result appears to be for the OpenVPN rules. The one that was created automatically on the WAN interface does not appear to ever be used.
                  Just for the sake of argument I went and disabled my floating rule, and enabled the auto generated rule.
                  Result:
                  I can no longer connect to my OpenVPN server at all.

                  Disable the auto generated rule, enable the floating rule
                  Result:
                  Immediately I am able to connect to my OpenVPN server (but I cannot do anything)

                  There was a typo. I meant IPv4 not TCPv4. Basically allowing anything except IPv6.

                  The rules:
                  Floating:
                  479f591b-e24d-4039-91b2-686a17845ee7-image.png
                  Auto generated (currently disabled):
                  2ab3bb8c-2510-4135-89b0-4bd0c00803ce-image.png

                  So I'm going to try and clarify the interfaces I have next.

                  I do have a LAN, several actually.

                  WAN: PPPoE connection
                  LAN: This is the dummy one I just created. Assigned it a dummy IP also.
                  5 other interfaces that connect to various other active networks (internal) <-- these would be treated as LAN
                  I then have OpenVPN we'll call them A and B
                  Interface A, this is a VPN I used to use to connect out to a third party provider. I would use a redirection rule for some traffic to use this as the gateway. It worked fine before. Currently that gateway is disabled.
                  Interface B, this is the newly created interface. Recall, before creating this I could at least reach Google from my new VPN config. Since adding I cannot do anything at all other than connect.

                  Hopefully that ^ explains, if not let me know.

                  Nat rules:

                  Under port forward I just have the two rules for the two servers I mentioned at the top of this post. They do not have anything to do with OpenVPN and will omit.

                  1:1 rules = nothing there

                  Outbound:

                  Hybrid Outbound NAT rule generation.
                  (Automatic Outbound NAT + rules below)

                  Then I see rules like this, one for each network. There are also some for the redirection/gateway created for OpenVPN interface A.
                  fffbebfb-3de7-4e16-8df3-943c21851653-image.png

                  Then for automatic rules there is the typical ones
                  Interface WAN, source of all my internal networks, source port any destination any port 500 NAT Address is my WAN address - auto created rule ISAKMP...
                  Interface WAN, source of all my internal networks, source port any destination any port any NAT Address is my WAN address - auto created rule...

                  OpenVPN Config

                  Under Servers I just have the one were trying to get working.
                  16951c1e-4795-4dad-8c02-70e35c7e9b73-image.png

                  As the openvpn server config page is quite large I will try and list just want I have set.

                  auth is backend local database, over udp, using tun layer 3. Is on my WAN interface with the default port 1194

                  I have TLS with TLS authentication

                  I am using a local CA+certificate on PFSense.

                  I have a tunnel network set, same as the one listed in the screenshot above.

                  Nothing for IPv6 (I do not use IPv6)

                  Redirect IPv4 gateway is checked to Force all client-generated IPv4 traffic through the tunnel.

                  Under client settings I have:

                  1fe8a1ad-d30a-40e0-a34f-734bacc407a3-image.png

                  Advanced client:
                  I provide some public DNS servers, nothing else set

                  Advancecd:
                  e425b35c-d48c-44fe-b24a-5bfbdc0497e4-image.png

                  Hopefully I got it all, if I missed something let me know.

                  Cheers!

                  1 Reply Last reply Reply Quote 0
                  • J
                    JeGr LAYER 8 Moderator
                    last edited by JeGr Sep 9, 2020, 4:30 PM Sep 9, 2020, 4:28 PM

                    OK I'm trying to see that through from the top.

                    WAN PPPoE
                    LAN dummy
                    5 other interfaces

                    Were those interfaces there when you set the system up or did they come later on? As said if you install pfSense without a LAN first, pf doesn't work. Only after adding the lan (that is internally called lan, not optX) is routing and firewalling really enabled!

                    Before I go deeper in your post with details about OVPN or others: could you show me the interface assignment screen and how wan/lan are configured? I somehow sense a deeper problem in the whole setup if all parts like the filtering, rules, nat etc. behave THAT strange :)

                    Also did you configure anything in System>Advanced in Firewall&NAT section especially?

                    Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                    Q 1 Reply Last reply Sep 9, 2020, 8:49 PM Reply Quote 0
                    • Q
                      qwaven @JeGr
                      last edited by qwaven Sep 9, 2020, 9:01 PM Sep 9, 2020, 8:49 PM

                      @JeGr said in How to restrict OpenVPN traffic:

                      OK I'm trying to see that through from the top.

                      WAN PPPoE
                      LAN dummy
                      5 other interfaces

                      Were those interfaces there when you set the system up or did they come later on? As said if you install pfSense without a LAN first, pf doesn't work. Only after adding the lan (that is internally called lan, not optX) is routing and firewalling really enabled!

                      Before I go deeper in your post with details about OVPN or others: could you show me the interface assignment screen and how wan/lan are configured? I somehow sense a deeper problem in the whole setup if all parts like the filtering, rules, nat etc. behave THAT strange :)

                      Also did you configure anything in System>Advanced in Firewall&NAT section especially?

                      I honestly cannot recall how the interfaces originally were created. It has been operating fine otherwise mostly for quite some time.
                      My guess is that I setup a very basic PFSense WAN/LAN setup.
                      Created the other interfaces
                      Removed the LAN interface once it was working as I did not require it.

                      Interfaces
                      Note: re added this with more information...

                      0b9b607a-2374-4993-848d-aae0915e3153-image.png

                      Firewall & Nat
                      Taking a look at the Firewall & Nat page I am not really seeing anything that stands out as 'modified' with the exception of perhaps the NAT section since I am using hybrid.

                      I will post a few screenshots

                      f81820f7-5c66-46bc-96a3-27881cc087f4-image.png

                      38af22fa-b610-47b3-a482-9d6ac0235dd4-image.png

                      dba0eee9-5610-430e-af70-a59c0618dbd9-image.png

                      The rest is all blank.

                      Cheers!

                      1 Reply Last reply Reply Quote 0
                      • Q
                        qwaven
                        last edited by Sep 11, 2020, 9:16 PM

                        Any further input?

                        Cheers!

                        1 Reply Last reply Reply Quote 0
                        • J
                          JeGr LAYER 8 Moderator
                          last edited by Sep 13, 2020, 2:12 PM

                          sorry, currently away from home and in project, hope I can jump back in next week, but anyone else may jump in anytime!

                          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                          Q 1 Reply Last reply Sep 14, 2020, 6:42 PM Reply Quote 0
                          • Q
                            qwaven @JeGr
                            last edited by Sep 14, 2020, 6:42 PM

                            @JeGr said in How to restrict OpenVPN traffic:

                            sorry, currently away from home and in project, hope I can jump back in next week, but anyone else may jump in anytime!

                            Ok no problem, thanks for the reply.

                            Let me know if you have any thoughts when your able.

                            Cheers!

                            1 Reply Last reply Reply Quote 0
                            • A
                              akuma1x
                              last edited by akuma1x Sep 14, 2020, 9:14 PM Sep 14, 2020, 7:50 PM

                              That screenshot with your interface names and MAC addresses all masked out is really gonna hurt us when it comes to helping you with your posted problem. None of that is "super secret proprietary data" that anybody can do anything with.

                              Q 1 Reply Last reply Sep 17, 2020, 1:06 AM Reply Quote 0
                              • Q
                                qwaven @akuma1x
                                last edited by Sep 17, 2020, 1:06 AM

                                @akuma1x

                                It's more that I did not want some of the naming / descriptions public, none of which should matter for troubleshooting.

                                Cheers!

                                1 Reply Last reply Reply Quote 0
                                15 out of 15
                                • First post
                                  15/15
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                  This community forum collects and processes your personal information.
                                  consent.not_received