Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setup OpenVPN with allowed IP list

    OpenVPN
    3
    3
    195
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AirGapped
      last edited by

      Hi All,

      I have OpenVPN setup and working, I want to restrict which IPs are allowed to access the VPN, to limit noise in the logs. I understand I can do this from within the Firewall rules.

      My question is when I remote it I do not always know the IP I will be accessing from, how do others get around this?

      My thoughts are a using an cloud provider with a static IP which I could edit rules from to allow an IP?

      Or do you use a paid VPN service on the allowed list and access from there?

      Thanks for any suggestions.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @AirGapped
        last edited by

        @AirGapped Use a dynamic DNS service and then use that hostname in an alias.

        https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html#host-aliases
        “…or fully qualified domain name (FQDN).”
        It resolves every 5 minutes by default IIRC.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • W
          whosmatt
          last edited by whosmatt

          If you don't know a remote source beforehand you can't firewall it in advance. My approach would be to make sure you're using TLS keys in addition to client certificates and also usernames and passwords. That's three levels of authentication where if any one of them is not present, the connection won't establish.

          Yes, you can use the cloud provider approach but then you're relying on your connections first establishing to that provider and then to you. All that is doing IMO is moving the "noise" elsewhere.

          I'd just use good security and live with the noise. TLS key, client certificate (which can be revoked), associated private key are something the user has. The username and password are something the user knows. That's not terrible in my book.

          edit: you can also cut down on the noise by using a different port on the server. The usual port of 1194 UDP is going to get probed a lot. Pick something else and you'll likely have less noise in your logging.

          second edit: the response about using dynamic DNS didn't make any sense to me at first as I was thinking of this as supporting a fleet of remote users but that could work. However, I tend not to trust dns resolution in critical aliases as I've seen empty alias tables too many times.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.