Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rules on OpenVPN Connections?

    OpenVPN
    5
    9
    3.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wolfgang
      last edited by

      Hello,

      is it possible to apply Firewall Rules to OpenVPN connections (site-2-site and/or client-2-site), to limit access to the destination network based on IP and/or Ports?

      I tried applying Firewall Rules using the local adresses on a site as well as using Rules against the transfer network used by OpenVPN, but both kind of rules were not triggered. (I pushed them at top of the exising ruleset).

      The problem seems to be, that firewall rules need to adress an interface. In case of OpenVPN, i do not see any access to the TUN/TAP interfaces used by OpenVPN via the webgui. Only LAN/WAN/PPTP/PPPOE are available.

      My setup for the test (site2-site)
      local1->pfsense1->internet->pfsense2->local2

      With addresses:
      192.168.1.0/24(local network)->10.0.1.0/24(OVPN)->internet(adsl)->internet(adsl)->10.0.1.0/24(OVPN)->192.168.2.0/24

      Regards

      Wolfgang

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        No it is not in 1.0.

        1 Reply Last reply Reply Quote 0
        • T
          talong99
          last edited by

          Is this something that will be included in a future release?

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            Possibly.

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG
              GruensFroeschli
              last edited by

              wasn't it possibly with the RC versions to define rules?
              or was that just pseudo and didn't affect anyting?

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by

                No, it was never possible.

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by

                  @GruensFroeschli:

                  wasn't it possibly with the RC versions to define rules?
                  or was that just pseudo and didn't affect anyting?

                  It happened when people assigned the tunnelinterface as seperate interface. That was just a wrong way of setting it up which lead to the confusion as you then had a tab for it under firewallrules. This was not the right procedure to set it up.

                  1 Reply Last reply Reply Quote 0
                  • T
                    talong99
                    last edited by

                    Where could I manually add such rules so that they would be loaded the same time as the rules specified in the UI?

                    1 Reply Last reply Reply Quote 0
                    • S
                      sullrich
                      last edited by

                      @talong99:

                      Where could I manually add such rules so that they would be loaded the same time as the rules specified in the UI?

                      There are no facilities for this.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.