OPENVPN NAT CONNECT A DB PORT
-
need help.
I have the following scenario.
I have a vm 192.168.42.55, and it runs a db service on port 61433.
We decided for security to state the following in the NAT rule for a service provider.
WAN interface > TCP protocol > Origin: Provider address > Source ports: * > Dest: WAN address > Dest Port: 1433 > nat ip: 192.168.42.55 > accept.
All ok, working.
But now is where I need help. A company is going to access this db from different places with their notebook, so for security we authenticate it in LDAP and give it a VPN access.
As the first rule I made states that it only accepts the connection to the db from one source, I need to somehow declare that I also accepted the connection from this guy who will be connected through the VPN.
Is there any way I can do this? I don't know what I can do, because locally it won't get access either because the rule declared above determined an origin and the rest won't accept it.
-
I have a user authenticated by OPEN VPN on an OPENVPNserver with a specific tunnel for this guy.
it only needs to be on the local network after connecting accessing a specific server on a specific port which is the database.
How do I make the rule in PFSENSE to prevent this guy who is in this VPN tunnel from this server from being able to ping or give a // to the other local servers.
I wanted to block everything from that source and accept only the connection on the port of the db in a server specific.
is it possible to do that ???
-
@rafaelvilelacosta94
If you have other OpenVPN users, you'll need to set a Client Specific Override for the user that you want to restrict. Then use firewall/rules/openvpn to restrict the user- make a pass rule set source for his ip, destination for the server/ports, then follow it with a block all from his ip, then your normal rules. -
@dotdash so man i dont know what to declare. I can't understand what the origin of openvpn is.
I understand that I should declare that the origin would be the tunnel's network range on the openvpn interface.
What I need is that the guys connected to openvpnserver from ip 40.40.20.0/24 can't see anything from the lan, block everything, and make one after releasing it only for the specific server on a specific port.
Look, I did that and even so, it manages to drip, do everything.
-
@rafaelvilelacosta94
You're using Eli Lilly's public block for your openvpn network?
If it's private use 10.40.20.x or something.
Does LAN address=192.168.42.1? Is that the only rule there?
Source should match the openvpn tunnel network specified on your openvpn server config. Start with an allow to the target server, then follow with a rule to block all destination LAN net. -
40.40.20.0/24 it's a tunnel network set in openvpn server
192.168.42.0/24 is my lan network in interface lan.
but I can't make a generic rule, because I have another open vpn server created that the employees use, and it is the tunnel 50.50.10.0/24
I need the rule to understand that the origin of this guy from the tunnel network openvpn server 40.40.20.0/24 is the only one affected.
but that's the problem, I don't know what to put at the origin of the rule.
-
@rafaelvilelacosta94
Again, 40.x and 50.x are not private ranges. Moving on from that, you would do something like this for your openvpn rules-
action/proto/src/srcport/dest/destport
pass * 40.40.20.0/24 * 192.168.42.xy z
block * 40.40.20.0/24 * * *
pass * 50.50.10.0/24 * LAN subnet *
etc...
with xy being the ip of the server and z being the port(s) they need to access.