Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Communicate between OpenVPN hosts

    Scheduled Pinned Locked Moved
    OpenVPN
    openvpn client openvpn config ovpn
    1
    1
    738
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kamil 0
      last edited by

      Hi, I'm having trouble configuring pfSense instance version 2.6.0. Namely, I created an openVPN server with addressing and forwarding all traffic through my default gateway. I want individual hosts in the subnet - client/user computers to be unable to communicate with each other and with the Internet, only to one public IP address and to a host in the VPN network, which is a backup server, and engineers/help desk computers to have access to all machines among themselves on a given network. I created an alias that contains a pool of IP addresses for clients/users, firewall rules that theoretically block traffic between client machines, disabled dhcp v4 and v6 server, set high static addresses for engineers hosts and backup server, added a filewall rule, which blocks traffic to the Internet. The results I got are:

      • client computers correctly connect to the OpenVPN server, receive "in turn" IP addresses from the ovpn pool, do not have access to the Internet, are connected to the service hosted on a public IP address
      • client computers SEE EACH OTHER NAME, namely when I run ICMP/ping between two hosts via OpenVPN addressing, I get a response, the same when I want to connect via remote desktop/RDP - for me it is a very important issue that client hosts do not have communication between each other

      Is there anyone kind enough to help me or tell me what the configuration should look like so that hosts in the ovpn network can't see each other? I was thinking of enabling static ARP instead of using dynamic, but I'm afraid that only applies to LANs. I've read that firewall rules don't apply when host-to-host communications are on the same subnet via ARP.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post