Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Open VPN opens networks when forcing traffic through the tunnel

    OpenVPN
    2
    4
    767
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viktor77
      last edited by viktor77

      Hello,

      I created a new VPN server with the intention to forward RTSP incoming connections on WAN to a VPN client connected to the open VPN server. I port forwarded 554 but had to enable the 'Force all client-generated IPv4 traffic through the tunnel.' option to be able to send the traffic back to the requestor.
      This for some reason disabled the option to define the IPv4 Local networks option and opened access to all networks and devices on the pfsense box. What options do I have to restrict access to the VPN client to all my networks on pfsense but still be able to send traffic through WAN? Can someone give me an example of OpenVPN firewall rules to achieve this?

      Thankyou,
      Viktor.

      1 Reply Last reply Reply Quote 0
      • V
        viktor77
        last edited by

        I managed to achieve this by giving the client a fixed ip and blocking it through the openvpn rules. Any Idea why the 'Force all client-generated IPv4 traffic through the tunnel.' option disappears though ?

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @viktor77
          last edited by

          @viktor77 said in Open VPN opens networks when forcing traffic through the tunnel:

          Any Idea why the 'Force all client-generated IPv4 traffic through the tunnel.' option disappears though ?

          'Force all client-generated IPv4 traffic through the tunnel' includes all what 'local networks' (push route) can do.
          Since the whole clients upstream traffic is directed over the VPN there is no need to set additional routes for specific networks at all.

          In any case, consider that pushing specific routes to the client does not really enhance security. It's basically on the client to add his own routes and route to the vpn server whatever he want.
          So for the sake of security you should configure restrictive filter rule anyway.

          I created a new VPN server with the intention to forward RTSP incoming connections on WAN to a VPN client connected to the open VPN server. I port forwarded 554 but had to enable the 'Force all client-generated IPv4 traffic through the tunnel.' option to be able to send the traffic back to the requestor.

          The only other option here is to add an outbound NAT rule to translate the source IP in forwarded packets into the vpn servers IP. However, this has the drawback that the destination device cannot determine the origin source address.

          V 1 Reply Last reply Reply Quote 1
          • V
            viktor77 @viragomann
            last edited by

            @viragomann

            Thanks for your clear explanation, got some rules to set up!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.