Openvpn firewall rule



  • hi, i have trying to setup firewall rule for my openvpn users, i have configured the opt interface for openvpn(tun0), i have enable it and set none on ip address.

    after that i have go to rules select new interface called openvpn and i have created a new rule, but when i issue the apply button the gui return me with an error related to syntax.

    to clarify:

    php: : There were error(s) loading the rules: /tmp/rules.debug:206: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [206]: pass in quick on $openvpn inet proto icmp from /32 to any icmp-type echorep keep state label "USER_RULE"

    this happen when add a rule to the openvpn interface

    block
    from: openvpn subnet
    to: any
    protocol: icmp
    type: any

    if i change openvpn subnet to any( as source) no error is displayed, but the rule not work.

    i use pfsense ver 1.2.3

    how can i enable traffic filter on openvpn without encountering errors?

    Thanks
    Giulio


  • Rebel Alliance Developer Netgate



  • hi jimp thanks for reply, i have followed this guide but i can't figure out what is wrong.

    i have checked the interface and it is tun0 on server and on client, but any rule configured on interface tun0 won't apply.

    pls advice


  • Rebel Alliance Developer Netgate

    If you follow the instructions there exactly, it works. I've done this dozens of times.



  • i have follow the instruction on the link you have advice, i have changed on custom configuration adding dev tun9(for example) also configured the optx interface with tun9 then i disable/enable the openvpn server and i still go anywhere on my network else if i have permitted only icmp protocol.

    perhaps i missed something… i don't know but pls someone can explain me step by step.

    thanks



  • hi, i have read the guide in the book you have wrote "pfsense the definitive guide" and i have solved my issue because the process is explained very well.

    Thanks for all advice.


Log in to reply