OPENVPN client-to-client firewalling not working



  • Hi

    I would like to create a setup where I have 10 openvpn clients connected to PFS, without site to site traffic, and an 11th one able to reach the 10 clients.

    So I have created a VPN server, where all the clients can exchange traffic together, thinking that I will be able filter traffic using the firewall.

    But even if I do a rule to block all traffic on the openvpn section (all/all/reject), the traffic between my clients is still passing !

    As I want one client to be able to reach all the other clients I select : 'Allow communication between clients connected to this server'

    Does it means that the FW is not able to filter traffic between clients ?

    Thanks for your help,


  • LAYER 8

    that's right, the firewall can't do anything if the clients are on the same interface
    'Allow communication between clients connected to this server' it's your only option
    😁
    1602322569656-device.jpg

    you can create different VPN server for each client



  • @kiokoman

    the firewall can't do anything if the clients are on the same interface

    Are you sure about that?
    Works fine in Linux.

    If Inter client communication (--client-to-client) is selected, the packets between clients are never exposed to pfSense.
    They stay "inside" the OpenVPN process, hence no firewalling can be done.
    Follow the flow, see purple line: https://community.openvpn.net/openvpn/wiki/HowPacketsFlow

    With Inter client communication not selected, following the flow you'll see that packets are going from OpenVPN to the tun interface and back to OpenVPN.
    So that is where (on tun interface) you want to place your rules.

    Do not select Inter client communication.
    Assign an interface to the server instance (I always do).
    On the new interface traffic can now be regulated.
    Should work just fine.


  • LAYER 8

    really sorry !! 😖 , that's right, didn't think about it
    if you assign an interface the traffic can be regulated.



  • We can not think of all, all the time ;)


  • LAYER 8 Rebel Alliance

    Same works with the OpenVPN group Interface.

    -Rico



  • So, following our discussion, i have made several tests, and with Inter Client Communication, I am able to filter now with 'Allow communication between clients...'

    So my instance :

    alt text

    My VPN is VPN AUDIOPRO, but I had to create OPT1 instance to make it works ... and I don't really understand why ... and what is OPT1

    alt text

    Many thanks for your help !


  • LAYER 8

    from what I can understand the interface is assigned but not enabled
    you should have LAN and OPT1 interface available under the firewall rules tab
    Check the flag "Enable" in the interface settings

    After assigning the OpenVPN interface, edit the OpenVPN server or client and click Save once there as well to reinitialize the VPN. This is necessary for the VPN to recover from the assignment process. <- the openvpn server will stop working until you restart it after enabling the interface, pay attention if you are doing it from a remote location

    https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/assign.html#filtering-with-openvpn


Log in to reply