Restrictions in OpenVPN



  • Is it possible to restrict clients to just use the vpn to pass all trafic but unable to see the systems inside the network?

    For example… I need some clients to be able to connect to the openvpn server and have full access to the internal network as well as the internet.... BUT I have some other clients who only need to route internet access threw the OpenVPN server those clients do not need access to the internal network only internet threw the openvpn server.

    Is this possible?

    Thank You!



  • I know if you have each user/users on a dedicated openvpn server and have one server for network access and another for Internet you can. I would do it via PKI. You add the openvpn adapter as an interface and do firewall rules on said interface.



  • I guess I am not following…

    I have the tunnels as adapters all ready.... but no matter what I do they ether loose complete connection to the internal and internal network or they have full access to the internal network and internet.

    For example I did in the LAN Tab in firewall rules the following:

    Action: Block
    Proto: TCP/UDP
    Source: VPNClient1 Subnet
    Port: Any
    Destination: LAN Subnet
    Port: Any
    Gateway: Any
    Description: From Client1 VPN to Internal LAN = Block.

    And it gtes blocked completely... It wont even go out to the internet....

    Any ideas?  TIA!



  • what is your openvpn config file like on the clients and pfsense? (blobk out first 2-3 octets of IPs)



  • Client2 - openvpn server config (This config works as expected it)

    Proto: UDP
    Allow connected clients to retain their connections if their IP address changes.
    Port: XXXXX
    Address Pool: xxx.30.5.0/24
    Local Network: xxx.30.2.0/24
    Remote Net: Empty
    Client to Client VPN: Empty
    Crypto: Default
    Auth: PKI
    LZO: Compression

    Client1 - openvpn server config (This config needs only internet. not working)

    Proto: UDP
    Allow connected clients to retain their connections if their IP address changes.
    Port: XXXXX
    Address Pool: xxx.30.6.0/24
    Local Network: Empty
    Remote Net: Empty
    Client to Client VPN: Empty
    Crypto: Default
    Auth: PKI
    LZO: Compression
    Custom Option: dev tunX
    Client specific config:

    Client2:

    push "route xxx.30.2.0/255.255.xxx.xxx";push "redirect-gateway def1";push "dhcp-option DNS xxx.30.2.1"

    Client1:

    push "redirect-gateway def1";push "dhcp-option DNS xxx.30.2.1"

    –-----------------------------------
    Client Side config:

    Client2:

    client
    dev tun
    dev-node TAP
    proto udp
    remote XXX.xxx.XXX.xxxx XXXXX
    ping 10
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert cert.crt
    key key.key
    ns-cert-type server
    engine cryptodev
    comp-lzo
    pull
    verb 3f

    Client1:

    ##############################################

    Sample client-side OpenVPN 2.0 config file

    for connecting to multi-client server.

    #

    This configuration can be used by multiple

    clients, however each client should have

    its own cert and key files.                #

    #

    On Windows, you might want to rename this  #

    file so it has a .ovpn extension

    ##############################################

    Specify that we are a client and that we

    will be pulling certain config file directives

    from the server.

    client

    Use the same setting as you are using on

    the server.

    On most systems, the VPN will not function

    unless you partially or fully disable

    the firewall for the TUN/TAP interface.

    ;dev tap
    dev tunX

    Windows needs the TAP-Win32 adapter name

    from the Network Connections panel

    if you have more than one.  On XP SP2,

    you may need to disable the firewall

    for the TAP adapter.

    ;dev-node MyTap

    Are we connecting to a TCP or

    UDP server?  Use the same setting as

    on the server.

    ;proto tcp
    proto udp

    The hostname/IP and port of the server.

    You can have multiple remote entries

    to load balance between the servers.

    remote XXX.xxx.XXX.xxx XXXXX
    ;remote my-server-2 1194

    Choose a random host from the remote

    list for load-balancing.  Otherwise

    try hosts in the order specified.

    ;remote-random

    Keep trying indefinitely to resolve the

    host name of the OpenVPN server.  Very useful

    on machines which are not permanently connected

    to the internet such as laptops.

    resolv-retry infinite

    Most clients don't need to bind to

    a specific local port number.

    nobind

    Downgrade privileges after initialization (non-Windows only)

    ;user nobody
    ;group nobody

    Try to preserve some state across restarts.

    persist-key
    persist-tun

    If you are connecting through an

    HTTP proxy to reach the actual OpenVPN

    server, put the proxy server/IP and

    port number here.  See the man page

    if your proxy server requires

    authentication.

    ;http-proxy-retry # retry on connection failures
    ;http-proxy [proxy server] [proxy port #]

    Wireless networks often produce a lot

    of duplicate packets.  Set this flag

    to silence duplicate packet warnings.

    ;mute-replay-warnings

    SSL/TLS parms.

    See the server config file for more

    description.  It's best to use

    a separate .crt/.key file pair

    for each client.  A single ca

    file can be used for all clients.

    ca ca.crt
    cert cert.crt
    key key.key

    Verify server certificate by checking

    that the certicate has the nsCertType

    field set to "server".  This is an

    important precaution to protect against

    a potential attack discussed here:

    http://openvpn.net/howto.html#mitm

    To use this feature, you will need to generate

    your server certificates with the nsCertType

    field set to "server".  The build-key-server

    script in the easy-rsa folder will do this.

    ;ns-cert-type server

    If a tls-auth key is used on the server

    then every client must also have the key.

    ;tls-auth ta.key 1

    Select a cryptographic cipher.

    If the cipher option is used on the server

    then you must also specify it here.

    ;cipher x

    Enable compression on the VPN link.

    Don't enable this unless it is also

    enabled in the server config file.

    comp-lzo

    Set log file verbosity.

    verb 3

    Silence repeating messages

    ;mute 20



  • BumP :)



  • Bumps require payment to pfsense team if done less than 24 hrs  ;)

    So the one that is not working, does it even connect? If not look at the config files make sure they match on both sides.


Locked