Security consideration (blocking internet access)

  • Hye,

    I have a working configuration of OpenVPN on a 1.2.3 pfSense and I have two questions about security :

    Once a windows client is connected to the VPN, he can access the whole LAN defined in the server "Local Network" option. But he still can access to internet from his computer. So if the computer is infected by a trojan or any malware, it's is making this computer a gateway from internet to the LAN :(, an easy access way for a hacker. Is there a method to block internet access (modifying routing table or something else…) while the client is connected to the VPN ?

    In the log of the pFsense box in the openVPN tab, I get this message "openvpn[393]: WARNING: No server certificate verification method has been enabled. See for more info."
    On my client computer, I have only CA and client certificates. It seems weired to me that there is no server certificate. Am I wrong ?

    Thanks for the help.

  • Rebel Alliance Developer Netgate

    For point #1, there are two ways to accomplish blocking Internet access on OpenVPN - first would be to just remove any outbound NAT rules you have that allow OpenVPN subnets to reach the Internet – if you are on auto, switch to Manual Outbound NAT and only specify rules for LAN subnets and such.

    The other method, which may be better is to block traffic for OpenVPN clients except the traffic you want (e.g. allow all protocols from OpenVPN client subnet to LAN). This isn't built into 1.2.3, but it is possible. (It will be available in 2.0 by default). The process is described here:

    I'm not sure about point #2. Someone else may have to comment more in depth on that.

  • #2 relates entirely to the server side setup, it has nothing to do with clients.  Have you provided the OpenVPN server with the CA certificates?

  • Thanks again jimp for your answer.
    But I think you didn't understand what i wanted to say in the first point. My english is far to be perfect, so excuse me.

    I don't want to filter traffic into the tunnel, but I want to do the opposite Oo
    I want that all traffic goes on the VPN while a client is connected.

    Actually, when I'm connected from home, I can do both access my enterprise LAN and surfing the web.
    I'm a gateway between internet and my LAN. If somebody can control my computer from internet with any malware, he can do whatever he wants on my enterprise network !!!!

    To avoid that, I would like to make surfing unavailable when a client is connected.
    I think something like routing all traffic to the VPN should be an idea, but how ?!?

    For havok,
    Yes the server has the CA certificate. But when you configure a client, you put only CA certificate and you create client certificate. I just don't understand why you don't need the server certificate to connect ? CA is just the authority that sign the server certificate, you just need it to be sure that the server certificate is the good one. But once you know that, you need the server certificate to be sure that you are talking to the good computer when you are connecting.
    There is obviously something that I don't understand. Maybe you can help me (if my sentences are understandable ^^)

    Thx to you guys

  • That's how SSL works - same for your web browser.  You don't have a copy of every public server certificate to compare against, you have the key of the authority who signed their keys, that's how you check you're connecting to the right server.

  • Ok you're right Havok. I didn't think about that point when I wrote my post ;)

    And do you got an idea for the first point ?


  • What - forcing all traffic to go by the VPN?

    That's nicely covered in the OpenVPN documentation ;)  The setting you're looking for is redirect-gateway.

    Of course, if malware has control of your system it can do anything it wants.  If you're already infected it can still do whatever it wants on your enterprise network.

  • Thanks for the directive.

    Of course virus will go on my enterprise network if the client is already infected.
    But if someone can have a remote control of the client, at least he couldn't do it while the client is connected to the VPN.

Log in to reply