Restrictions in OpenVPN
-
Is it possible to restrict clients to just use the vpn to pass all trafic but unable to see the systems inside the network?
For example… I need some clients to be able to connect to the openvpn server and have full access to the internal network as well as the internet.... BUT I have some other clients who only need to route internet access threw the OpenVPN server those clients do not need access to the internal network only internet threw the openvpn server.
Is this possible?
Thank You!
-
I know if you have each user/users on a dedicated openvpn server and have one server for network access and another for Internet you can. I would do it via PKI. You add the openvpn adapter as an interface and do firewall rules on said interface.
-
I guess I am not following…
I have the tunnels as adapters all ready.... but no matter what I do they ether loose complete connection to the internal and internal network or they have full access to the internal network and internet.
For example I did in the LAN Tab in firewall rules the following:
Action: Block
Proto: TCP/UDP
Source: VPNClient1 Subnet
Port: Any
Destination: LAN Subnet
Port: Any
Gateway: Any
Description: From Client1 VPN to Internal LAN = Block.And it gtes blocked completely... It wont even go out to the internet....
Any ideas? TIA!
-
what is your openvpn config file like on the clients and pfsense? (blobk out first 2-3 octets of IPs)
-
Client2 - openvpn server config (This config works as expected it)
Proto: UDP
Allow connected clients to retain their connections if their IP address changes.
Port: XXXXX
Address Pool: xxx.30.5.0/24
Local Network: xxx.30.2.0/24
Remote Net: Empty
Client to Client VPN: Empty
Crypto: Default
Auth: PKI
LZO: CompressionClient1 - openvpn server config (This config needs only internet. not working)
Proto: UDP
Allow connected clients to retain their connections if their IP address changes.
Port: XXXXX
Address Pool: xxx.30.6.0/24
Local Network: Empty
Remote Net: Empty
Client to Client VPN: Empty
Crypto: Default
Auth: PKI
LZO: Compression
Custom Option: dev tunX
Client specific config:Client2:
push "route xxx.30.2.0/255.255.xxx.xxx";push "redirect-gateway def1";push "dhcp-option DNS xxx.30.2.1"
Client1:
push "redirect-gateway def1";push "dhcp-option DNS xxx.30.2.1"
–-----------------------------------
Client Side config:Client2:
client
dev tun
dev-node TAP
proto udp
remote XXX.xxx.XXX.xxxx XXXXX
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert cert.crt
key key.key
ns-cert-type server
engine cryptodev
comp-lzo
pull
verb 3fClient1:
##############################################
Sample client-side OpenVPN 2.0 config file
for connecting to multi-client server.
#
This configuration can be used by multiple
clients, however each client should have
its own cert and key files. #
#
On Windows, you might want to rename this #
file so it has a .ovpn extension
##############################################
Specify that we are a client and that we
will be pulling certain config file directives
from the server.
client
Use the same setting as you are using on
the server.
On most systems, the VPN will not function
unless you partially or fully disable
the firewall for the TUN/TAP interface.
;dev tap
dev tunXWindows needs the TAP-Win32 adapter name
from the Network Connections panel
if you have more than one. On XP SP2,
you may need to disable the firewall
for the TAP adapter.
;dev-node MyTap
Are we connecting to a TCP or
UDP server? Use the same setting as
on the server.
;proto tcp
proto udpThe hostname/IP and port of the server.
You can have multiple remote entries
to load balance between the servers.
remote XXX.xxx.XXX.xxx XXXXX
;remote my-server-2 1194Choose a random host from the remote
list for load-balancing. Otherwise
try hosts in the order specified.
;remote-random
Keep trying indefinitely to resolve the
host name of the OpenVPN server. Very useful
on machines which are not permanently connected
to the internet such as laptops.
resolv-retry infinite
Most clients don't need to bind to
a specific local port number.
nobind
Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobodyTry to preserve some state across restarts.
persist-key
persist-tunIf you are connecting through an
HTTP proxy to reach the actual OpenVPN
server, put the proxy server/IP and
port number here. See the man page
if your proxy server requires
authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]Wireless networks often produce a lot
of duplicate packets. Set this flag
to silence duplicate packet warnings.
;mute-replay-warnings
SSL/TLS parms.
See the server config file for more
description. It's best to use
a separate .crt/.key file pair
for each client. A single ca
file can be used for all clients.
ca ca.crt
cert cert.crt
key key.keyVerify server certificate by checking
that the certicate has the nsCertType
field set to "server". This is an
important precaution to protect against
a potential attack discussed here:
http://openvpn.net/howto.html#mitm
To use this feature, you will need to generate
your server certificates with the nsCertType
field set to "server". The build-key-server
script in the easy-rsa folder will do this.
;ns-cert-type server
If a tls-auth key is used on the server
then every client must also have the key.
;tls-auth ta.key 1
Select a cryptographic cipher.
If the cipher option is used on the server
then you must also specify it here.
;cipher x
Enable compression on the VPN link.
Don't enable this unless it is also
enabled in the server config file.
comp-lzo
Set log file verbosity.
verb 3
Silence repeating messages
;mute 20
-
BumP :)
-
Bumps require payment to pfsense team if done less than 24 hrs ;)
So the one that is not working, does it even connect? If not look at the config files make sure they match on both sides.