Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OPENVPN client-to-client firewalling not working

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 4 Posters 754 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Alban
      last edited by

      Hi

      I would like to create a setup where I have 10 openvpn clients connected to PFS, without site to site traffic, and an 11th one able to reach the 10 clients.

      So I have created a VPN server, where all the clients can exchange traffic together, thinking that I will be able filter traffic using the firewall.

      But even if I do a rule to block all traffic on the openvpn section (all/all/reject), the traffic between my clients is still passing !

      As I want one client to be able to reach all the other clients I select : 'Allow communication between clients connected to this server'

      Does it means that the FW is not able to filter traffic between clients ?

      Thanks for your help,

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by kiokoman

        that's right, the firewall can't do anything if the clients are on the same interface
        'Allow communication between clients connected to this server' it's your only option
        😁
        1602322569656-device.jpg

        you can create different VPN server for each client

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • PippinP
          Pippin
          last edited by Pippin

          @kiokoman

          the firewall can't do anything if the clients are on the same interface

          Are you sure about that?
          Works fine in Linux.

          If Inter client communication (--client-to-client) is selected, the packets between clients are never exposed to pfSense.
          They stay "inside" the OpenVPN process, hence no firewalling can be done.
          Follow the flow, see purple line: https://community.openvpn.net/openvpn/wiki/HowPacketsFlow

          With Inter client communication not selected, following the flow you'll see that packets are going from OpenVPN to the tun interface and back to OpenVPN.
          So that is where (on tun interface) you want to place your rules.

          Do not select Inter client communication.
          Assign an interface to the server instance (I always do).
          On the new interface traffic can now be regulated.
          Should work just fine.

          I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
          Halton Arp

          1 Reply Last reply Reply Quote 1
          • kiokomanK
            kiokoman LAYER 8
            last edited by

            really sorry !! 😖 , that's right, didn't think about it
            if you assign an interface the traffic can be regulated.

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            1 Reply Last reply Reply Quote 1
            • PippinP
              Pippin
              last edited by

              We can not think of all, all the time ;)

              I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
              Halton Arp

              1 Reply Last reply Reply Quote 0
              • RicoR
                Rico LAYER 8 Rebel Alliance
                last edited by

                Same works with the OpenVPN group Interface.

                -Rico

                1 Reply Last reply Reply Quote 0
                • A
                  Alban
                  last edited by

                  So, following our discussion, i have made several tests, and with Inter Client Communication, I am able to filter now with 'Allow communication between clients...'

                  So my instance :

                  alt text

                  My VPN is VPN AUDIOPRO, but I had to create OPT1 instance to make it works ... and I don't really understand why ... and what is OPT1

                  alt text

                  Many thanks for your help !

                  1 Reply Last reply Reply Quote 0
                  • kiokomanK
                    kiokoman LAYER 8
                    last edited by kiokoman

                    from what I can understand the interface is assigned but not enabled
                    you should have LAN and OPT1 interface available under the firewall rules tab
                    Check the flag "Enable" in the interface settings

                    After assigning the OpenVPN interface, edit the OpenVPN server or client and click Save once there as well to reinitialize the VPN. This is necessary for the VPN to recover from the assignment process. <- the openvpn server will stop working until you restart it after enabling the interface, pay attention if you are doing it from a remote location

                    https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/assign.html#filtering-with-openvpn

                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                    Please do not use chat/PM to ask for help
                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.