Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    (Solved) Create rules of OpenVPNs *internal* routing table

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dklev
      last edited by

      Hi,

      I am not sure if i missed a similar topic, but as searching didn't find something that helps me…:

      After configured pfSense with OpenVPN and succesfully connect some LANs (our company, different customers), I now have a big problem:

      Everyone can reach everyone (even customer X can connect hosts from customer Y) - awful !!

      I was able to "correct" that a little bit by pushing only routes, that customer really needs. But if they only know one day, that one manual "route add" gives them full access to all customers and our complete network... I think I will be fired...

      Is there any possibility, to configure something like:
      Location A D and F have full access together, but nowhere else
      Location B C E have full access together, but nowhere else

      Until here this may be works with different servers, but then there is one last wish:
      Location Z (our company) should have access to all customer's locations
      but customers should not have access back to Z

      Or is that an easy thing and I don't see the easy idea yet?

      Thanks a lot!

      Hugo

      1 Reply Last reply Reply Quote 0
      • D
        dreamslacker
        last edited by

        Set up mutiple Openvpn servers, 1 for each customer.  That way, you can push individual routes to each different customer based on what they need to access.

        Just make sure a different private subnet is assigned to each customer and leave Local Network field blank.  Manually push the routes as you require.

        1 Reply Last reply Reply Quote 0
        • D
          dklev
          last edited by

          That sounds perfect, thanks a lot!

          Only one thing:
          I setup one Openvpn server for me, and another Openvpn server for each customer, but how can I ping/connect to my customers machines (and not the other way)?

          I thought to solve that with routing and then to firewall what is not allowed. But when I try to make static routes on pfSense, it always asks for a Gateway, and I can only add gateways on "real" Interfaces.

          Or is it enough to add "route a.a.a.a 255.255.255.0 vpn_gateway" lines, so that OpenVpn creates routing rules when the clients connect?

          Hugo

          1 Reply Last reply Reply Quote 0
          • D
            dklev
            last edited by

            ! STOP !

            I solved most of my issues (thanks again to all and dreamslacker!).

            I was able to set up different OpenVPN servers and to create firewall rules between them in Firewall/Rules/OpenVPN section, now I can handle exactly who can connect to which other customer or not.

            Only two things are not clear:

            1. One customer's OpenVPN client (Win) logs in, he has NIC1=LAN(192.168.199.x) and NIC2=OpenVPN (10.10.10.x). His other computers have different 192.168.199.x of course. If a LAN machine pings some other customer, everything works (as IP packet comes from 192.168.199.x through the tunnel/firewall.

            But if the OpenVPN itself sends packets, they come from 10.10.10.x (OpenVPN's dynamic DHCP address), this is causing trouble as this IP range is shared by all LANs of my customer (as they use the same 10.10.10.x).

            I already found one workarounds, but it isn't useful:

            • With ping 192.168.44.x (another customer's LAN) I have the problem (source address=10.*),
            • but with different ping-source e.g. ping -S 192.168.199.x 192.168.44.x everything works

            How can I setup, that all packets going through the tunnel have 192.168.199.x source address (only if they have 10.* source before)? Or in other words, no traffic at the clients OpenVPN should use 10.* as source at all (as this is only a "tranfer network")?

            1. This problem is not bad, too: If once the customer's OpenVPN is connected, the local user could change his LAN adress to something else (e.g. 192.168.77.x), manually add some routes into the tunnel, and with that I can maybe access other customer's networks.

            When trying to solve that, the firewall rules has only "OpenVPN" as interface. In reality there are a lot interfaces (ovpns1, ovpns2, ovpns3), but I can not select. If this would be possible, then I would be able to imprison one client to one customer's network, but now it isn't possible (as everyone is able to be like a 192.168.<something else="">.x in order to come through my pfSense firewall….

            Do you have any idea or hint, how to keep customers inside their networks???

            Thanks a lot

            Hugo</something>

            1 Reply Last reply Reply Quote 0
            • D
              dreamslacker
              last edited by

              On point 1, I'm not sure what you need.

              On point 2, work your firewall rules by subnet.

              e.g.  You have customer A on OVPN1 with a subnet of 192.168.5.0/24.  So you can add an explicit block rule on the Openvpn ruleset for all traffic originating from 192.168.5.0/25.

              If this customer needs access to another OVPN subnet, then you add an explicit allow rule above the block rule.  Remember that the rules need to be quick match.

              1 Reply Last reply Reply Quote 0
              • D
                dklev
                last edited by

                Point 1 was the problem, that on the OpenVPN client computer exist two networks and network cards:
                a) Traditional LAN adapter (192.168.199.99)
                b) OpenVPN LAN adapter (10.10.10.5)

                But I was able to solve that with a client specific setting "Tunnel network" = 192.168.199.252/30. Now packets originating from this machine appear as 192.168.199.254, and that is okay for me.

                Point 2 is solved, too: I feared that the user at customers OpenVPN machine could be able to change his IP address to something else to get access to other networks, but if he does so, he'll never get answer- packets back from the server.

                Then I have everything!!! Thanks a lot to you dreamslacker, and everyone else who wanted to help on this topic, too.

                Hugo

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.