Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVpn clients access rules

    OpenVPN
    2
    4
    401
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LukasH
      last edited by

      Hello,
      I used so far pretty simple setup for my OpenVPN network. Let's say I have two LANs accessible from VPN and two other clients that access the LANs.
      I have both remote LANs at OpenVPN server setting and I allowed Inter-client communication. So far no issue but I didn't like that a new computer on one of the remote LAN can access the other LAN and also I would like to manage now the access to remote LANs from different clients connected to the OpenVPN server.
      e221afa0-e139-4ba3-8831-9758c4e4b073-image.png
      I am trying to have this setup with client-specific overrides but so far I am not able to access any remote LANs from another client.
      Client AA can access both remote LANs (A,B) and client BB can access only site B.
      I have an OpenVPN firewall rule to allow all communication.
      Can you please direct me to accomplish this?

      Thank you very much for any response.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @LukasH
        last edited by

        @LukasH
        First of all, you should better use Private network ranges for both, internal networks and VPN tunnels to avoid issues with accessing public sites.

        The "Remote Networks" field in the client specific overrides is meant to state networks behind the respective client.
        Anyway, I'd suggest to not state the local networks in the CSO.

        However, you need such CSO for the sites A and B. Here you have to enter the respective clients local into the "Remote Network" box.

        And in the server settings you need to enter both local network into the "Local Networks" box to push the routes to the clients.

        For limiting access use the CSO to assign static IPs to the clients and add proper firewall rules.
        Remove the check at "Inter-client communication".

        L 1 Reply Last reply Reply Quote 0
        • L
          LukasH @viragomann
          last edited by

          @viragomann
          Hi, I tried exactly (at least I think) what are you describing here. But with no success.

          Server OpenVPN:

          • tunel network: 10.10.0.0/24
          • local networks: (site A)10.10.10.0/24, (site B)10.10.11.0/24
          • uncheck "Inter-client communication"

          Client A CSO:

          • tunel ip: 10.10.0.100
          • local network: 10.10.10.0/24

          Site A CSO:

          • tunel ip: 1010.0.2/24
          • remote network: 10.10.10.0/24

          OpenVPN FW rules:

          • allow all protocols and IPs for this moment, for OPT1 (tunnel network) as well.

          I can see traffic in the firewall rule, to reach site (A), but there is no response from the site.
          This setup functions only with the "Inter-client communication" option check.
          b93ea8d8-5ff6-4acb-96c2-6cb0f8280634-image.png
          Here is the client A reaching to site A device.

          I will do better with local IPs in the future thanks.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @LukasH
            last edited by

            @LukasH
            With Inter-client communication enabled, pfSense cannot filter the traffic, because it doesn't enter the interface.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.