Need Help Understanding OPENvpn to the pfsense - security - be gentle :-)

  • kudos to all of those who have put together an awesome project.

    I have successfully connected to my pfsense via OpenVPN.  However my little brain of mine is not really comprehending the security issue that was warned in the instructions about opening up everything on the openVPN interface for testing only and not production.  I understand the reasoning say like it was on my WAN(I wouldn't allow everyone just have a hayday on my lan).  But is the openVPN interfeace secure by only allowing those with the appropriate cert key challenge to connect to it?  Or is the risk or disclaimer saying that if you don't lock it down your clients will have access to your complete network?

    Sorry for my lack of understanding. Just need some education or understanding how it works on the security aspect.

    Thanks in advance for your time

    Happy pfsensing

  • Afaik Openvpn acts the same way like IPSEC so connecting through openvpn will give you wull access and you can't filter it atm. For IPSEC filtering will be a feature of the next major version (it already works in the head codetree). Not sure for Openvpn though.

  • Hi hoba

    Thanks for your reply

    My main concern is by leaving my newly created OVPN1 interface and allowing "all" to the ovpn1 subnet, will I be leaving a door open for anyone on the www?  I think the awnser is no, where I understand it is its an interface only accessable via the OpenVPN clients that pass the security challenge.

    To eplain my reason for questioning and my confusion is when I was following the instruction and got to the part of configuring the firewall  "Step 4: firewall config"

    It states

    "Warning! This is bad practice for production use! Make sure you lock things down after you're done testing!!"

    Thats where I got confused and my reason for question and the need for understanding.

    Thanks again

  • That howto needs some additional work. Seems there are some things not completely correct. You won't open up your network to the whole internet, only to authenticated clients that then have an encrypted connection to your site.

Log in to reply