Open VPN opens networks when forcing traffic through the tunnel
-
Hello,
I created a new VPN server with the intention to forward RTSP incoming connections on WAN to a VPN client connected to the open VPN server. I port forwarded 554 but had to enable the 'Force all client-generated IPv4 traffic through the tunnel.' option to be able to send the traffic back to the requestor.
This for some reason disabled the option to define the IPv4 Local networks option and opened access to all networks and devices on the pfsense box. What options do I have to restrict access to the VPN client to all my networks on pfsense but still be able to send traffic through WAN? Can someone give me an example of OpenVPN firewall rules to achieve this?Thankyou,
Viktor. -
I managed to achieve this by giving the client a fixed ip and blocking it through the openvpn rules. Any Idea why the 'Force all client-generated IPv4 traffic through the tunnel.' option disappears though ?
-
@viktor77 said in Open VPN opens networks when forcing traffic through the tunnel:
Any Idea why the 'Force all client-generated IPv4 traffic through the tunnel.' option disappears though ?
'Force all client-generated IPv4 traffic through the tunnel' includes all what 'local networks' (push route) can do.
Since the whole clients upstream traffic is directed over the VPN there is no need to set additional routes for specific networks at all.In any case, consider that pushing specific routes to the client does not really enhance security. It's basically on the client to add his own routes and route to the vpn server whatever he want.
So for the sake of security you should configure restrictive filter rule anyway.I created a new VPN server with the intention to forward RTSP incoming connections on WAN to a VPN client connected to the open VPN server. I port forwarded 554 but had to enable the 'Force all client-generated IPv4 traffic through the tunnel.' option to be able to send the traffic back to the requestor.
The only other option here is to add an outbound NAT rule to translate the source IP in forwarded packets into the vpn servers IP. However, this has the drawback that the destination device cannot determine the origin source address.
-
Thanks for your clear explanation, got some rules to set up!