How to call my Random OpenVPN Client Remote IP in a rule?

hrv231

Hello,

I would like to know if there is a way to put in a rule for my always changing OpenVPN client “Remote/Virtual IP”?

For example:
Block IPv4* LAN subnets * VPN TCP4 * * none description

Is there a way to automate the creation of an Alias or Virtual IP with the random IP I get every time?

I looked if OpenVPN creates that Remote/Virtual IP inside Firewall/Virtual IPs , but it doesn’t.

Thanks.

viragomann

@hrv231
So you want to apply the rule only to a specific client, not to all clients?

You can assign a static IP to a client by configuring a Client Specific Override for him.
State the common name from the concerned clients certificate and an IP out of the tunnel network with the proper tunnel mask.

hrv231

@viragomann
Client IP and remote IP are random, I can’t set static IP for this particular VPN.

viragomann

@hrv231
You need a rule for the client public IP??

hrv231

@viragomann
correct.

The rule will say.. block anything from the LAN subnet to the client's public IP, but this public IP changes every time I reconnect, so I would like to know if there is a way to automate that via Virtual IP or Alias.
I don't want to go to the rule every time the client's public IP changes.

viragomann

@hrv231
The client cannot access anything inside your network with his public IP. This can reach your WAN as its best.
The VPN connected client would access your internal devices from the virtual IP out of the VPN tunnel pool. So if you have an allow any rule on the VPN interface you can block his VPN IP with a block rule above of it. And the way to know the clients VPN IP is to assign him a static one by CSO.

hrv231

@viragomann
Thank you, but it I don't want to assign an static IP.
I use a FQDN to get to the VPN service, and that FQDN points to different IPs.

I don't want to use static for that.

Thanks for your help!

SteveITS

@hrv231 OpenVPN rules won’t see the remote public IP because the client has already connected.

If you wanted to say allow OpenVPN only from a remote IP you could set up a ddns hostname, put it in an alias, and allow only that alias to connect. But that isn’t done via an OpenVPN firewall rule which is after the connection.

hrv231

@SteveITS
I'm trying to avoid the logs full of "recursive routing".
Doing a packet capture, I discovered that one of my LAN devices that sends traffic over the OpenVPN client ( I have a NAT rule for that ) is trying to connect to the public IP address of my client.
I created a block rule that blocks traffic to the public IP, and it is working great.
With that rule there is no more "recursive routing" on the OpenVPN client logs.

On my Client config, I have a FQDN, not an static IP, and that FQDN calls a list of IPs, and uses 1 public IP from that list to connect to.
That's why the Remote IP always changes, and that's why I'm looking for a way to automate via an Alias or Virtual IP that IP, so that the "blocking" rule continues doing its job.