Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Confused with firewall rules for OpenVPN

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 112 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jankol
      last edited by

      Hello,
      I managed to set up OpenVPN on Netgate 6100, but I am not sure of the correctness of the firewall rules I added.

      The source of my confusion is two new tabs in the "Firewall => Rules" menu connected with Open VPN. There are tabs "OVPN1" and "OpenVPN". I am not able to find a sufficient description of the behavior of rules in these two tabs.

      The OpenVPN Server is sitting on the WAN2 interface (connected to ISP). I have added an exception rule to "Firewall => Rules => WAN2" menu so remote clients can establish an IPv4 connection on UDP port 1194.

      So far I know, the "OVPN1" represents a virtual interface (I can find it in "Interfaces => Assignments" menu.) I treat it as the endpoint of the tunnel - when a connected remote client sends a packet, via the tunnel, the packet is processed by OVPN1 interface.

      On the "Firewall => Rules => OVPN1" tab I have no rules. GUI says that if no rules are added, all traffic is blocked. But I did not manage to find any WAN or LAN connectivity issues for remote users. So it seems to me there is no traffic passing this virtual interface, and that is why I am confused.

      On the "Firewall => Rules => OpenVPN" tab, I have two rules: First rule is to enable all traffic from the remote subnet to anywhere, second rule is to block all traffic. I have not dealt with firewall rules for remote clients as I am the only user of the OpenVPN so I do not limit access of the remote users.

      What I would like to know is the difference between "OVPN1" and "OpenVPN" tabs in the "Firewall => Rules" menu and I would like to understand how packets are passing those two interfaces. I would also like to know whether the firewall rules I mentioned are set correctly or I'm missing something.

      Thanks,
      Jan

      1 Reply Last reply Reply Quote 0
      • the otherT Offline
        the other
        last edited by

        hey there,
        a look in your documentation gives an answer:
        https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/firewall-rules.html
        See far down > Tip!
        :)

        In short: rules under the general OpenVPN Tab are for all your (in case you have more than one) openVPN servers on pfsense.
        So you can set seperate rules for those...
        here I have (under firewall > rules tab):
        no rules at all for general openVPN but rules set for my openVPN server "number1" (just an example).

        the other

        pure amateur home user, no business or professional background
        please excuse poor english skills and typpoz :)

        J 1 Reply Last reply Reply Quote 0
        • J Offline
          jankol @the other
          last edited by

          @the-other ,
          Thank you for your answer, and sorry for the late response.

          I have just finished some experiments with firewall rules.

          Based on your advice, I moved all rules from the generic OpenVPN tab to the OVPN1 tab, leaving no rules at that tab. Everything works in the same way compared to the previous configuration.

          I also read that page in the pfSense manual you shared before I raised my post, but I did not fully understand. After reading your example, it became clearer, and after the mentioned experiments with rules, it is fully clear.

          Hopefully, all my findings are correct:

          • Rules on the OpenVPN tab have priority over the OVPN1 tab (=> In case an incoming packet matches some OpenVPN tab rule, OVPN1 rules are ignored => Rules on the OpenVPN tab are meant to be generic and common for all OpenVPN servers.)

          • If there are no rules on the OpenVPN tab, there is a default message saying "No rules are currently defined for this interface
            All incoming connections on this interface will be blocked until pass rules are added. Click the button to add a new rule            ". This confused me. I was convinced that a state without any rule is fully equivalent to a state with a "block all" rule (IPv4+IPv6, any protocol, any IP, any port, etc.). But at least for the OpenVPN tab, this is not true, as I tested that in case there are no rules on the OpenVPN tab, rules from OVPN1 are applied, and everything just works. I just tried to add a "block all" rule on the OpenVPN tab, and remote clients lost connection. So the mentioned message is quite confusing in this case. Because if that message was correct, remote clients would not have had a connection.

          Thanks,
          Jan

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.