Restrictions in OpenVPN

serialdie

Is it possible to restrict clients to just use the vpn to pass all trafic but unable to see the systems inside the network?

For example… I need some clients to be able to connect to the openvpn server and have full access to the internal network as well as the internet.... BUT I have some other clients who only need to route internet access threw the OpenVPN server those clients do not need access to the internal network only internet threw the openvpn server.

Is this possible?

Thank You!

XIII

I know if you have each user/users on a dedicated openvpn server and have one server for network access and another for Internet you can. I would do it via PKI. You add the openvpn adapter as an interface and do firewall rules on said interface.

serialdie

I guess I am not following…

I have the tunnels as adapters all ready.... but no matter what I do they ether loose complete connection to the internal and internal network or they have full access to the internal network and internet.

For example I did in the LAN Tab in firewall rules the following:

Action: Block
Proto: TCP/UDP
Source: VPNClient1 Subnet
Port: Any
Destination: LAN Subnet
Port: Any
Gateway: Any
Description: From Client1 VPN to Internal LAN = Block.

And it gtes blocked completely... It wont even go out to the internet....

Any ideas?  TIA!

XIII

what is your openvpn config file like on the clients and pfsense? (blobk out first 2-3 octets of IPs)

serialdie

Client2 - openvpn server config (This config works as expected it)

Proto: UDP
Allow connected clients to retain their connections if their IP address changes.
Port: XXXXX
Address Pool: xxx.30.5.0/24
Local Network: xxx.30.2.0/24
Remote Net: Empty
Client to Client VPN: Empty
Crypto: Default
Auth: PKI
LZO: Compression

Client1 - openvpn server config (This config needs only internet. not working)

Proto: UDP
Allow connected clients to retain their connections if their IP address changes.
Port: XXXXX
Address Pool: xxx.30.6.0/24
Local Network: Empty
Remote Net: Empty
Client to Client VPN: Empty
Crypto: Default
Auth: PKI
LZO: Compression
Custom Option: dev tunX
Client specific config:

Client2:

push "route xxx.30.2.0/255.255.xxx.xxx";push "redirect-gateway def1";push "dhcp-option DNS xxx.30.2.1"

Client1:

push "redirect-gateway def1";push "dhcp-option DNS xxx.30.2.1"

–-----------------------------------
Client Side config:

Client2:

client
dev tun
dev-node TAP
proto udp
remote XXX.xxx.XXX.xxxx XXXXX
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert cert.crt
key key.key
ns-cert-type server
engine cryptodev
comp-lzo
pull
verb 3f

Client1:

##############################################

Sample client-side OpenVPN 2.0 config file

for connecting to multi-client server.

#

This configuration can be used by multiple

clients, however each client should have

its own cert and key files.                #

#

On Windows, you might want to rename this  #

file so it has a .ovpn extension

##############################################

Specify that we are a client and that we

will be pulling certain config file directives

from the server.

client

Use the same setting as you are using on

the server.

On most systems, the VPN will not function

unless you partially or fully disable

the firewall for the TUN/TAP interface.

;dev tap
dev tunX

Windows needs the TAP-Win32 adapter name

from the Network Connections panel

if you have more than one.  On XP SP2,

you may need to disable the firewall

for the TAP adapter.

;dev-node MyTap

Are we connecting to a TCP or

UDP server?  Use the same setting as

on the server.

;proto tcp
proto udp

The hostname/IP and port of the server.

You can have multiple remote entries

to load balance between the servers.

remote XXX.xxx.XXX.xxx XXXXX
;remote my-server-2 1194

Choose a random host from the remote

list for load-balancing.  Otherwise

try hosts in the order specified.

;remote-random

Keep trying indefinitely to resolve the

host name of the OpenVPN server.  Very useful

on machines which are not permanently connected

to the internet such as laptops.

resolv-retry infinite

Most clients don't need to bind to

a specific local port number.

nobind

Downgrade privileges after initialization (non-Windows only)

;user nobody
;group nobody

Try to preserve some state across restarts.

persist-key
persist-tun

If you are connecting through an

HTTP proxy to reach the actual OpenVPN

server, put the proxy server/IP and

port number here.  See the man page

if your proxy server requires

authentication.

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

Wireless networks often produce a lot

of duplicate packets.  Set this flag

to silence duplicate packet warnings.

;mute-replay-warnings

SSL/TLS parms.

See the server config file for more

description.  It's best to use

a separate .crt/.key file pair

for each client.  A single ca

file can be used for all clients.

ca ca.crt
cert cert.crt
key key.key

Verify server certificate by checking

that the certicate has the nsCertType

field set to "server".  This is an

important precaution to protect against

a potential attack discussed here:

http://openvpn.net/howto.html#mitm

To use this feature, you will need to generate

your server certificates with the nsCertType

field set to "server".  The build-key-server

script in the easy-rsa folder will do this.

;ns-cert-type server

If a tls-auth key is used on the server

then every client must also have the key.

;tls-auth ta.key 1

Select a cryptographic cipher.

If the cipher option is used on the server

then you must also specify it here.

;cipher x

Enable compression on the VPN link.

Don't enable this unless it is also

enabled in the server config file.

comp-lzo

Set log file verbosity.

verb 3

Silence repeating messages

;mute 20

serialdie

BumP :)

XIII

Bumps require payment to pfsense team if done less than 24 hrs  ;)

So the one that is not working, does it even connect? If not look at the config files make sure they match on both sides.