Firewall Rules on OpenVPN Connections?



  • Hello,

    is it possible to apply Firewall Rules to OpenVPN connections (site-2-site and/or client-2-site), to limit access to the destination network based on IP and/or Ports?

    I tried applying Firewall Rules using the local adresses on a site as well as using Rules against the transfer network used by OpenVPN, but both kind of rules were not triggered. (I pushed them at top of the exising ruleset).

    The problem seems to be, that firewall rules need to adress an interface. In case of OpenVPN, i do not see any access to the TUN/TAP interfaces used by OpenVPN via the webgui. Only LAN/WAN/PPTP/PPPOE are available.

    My setup for the test (site2-site)
    local1->pfsense1->internet->pfsense2->local2

    With addresses:
    192.168.1.0/24(local network)->10.0.1.0/24(OVPN)->internet(adsl)->internet(adsl)->10.0.1.0/24(OVPN)->192.168.2.0/24

    Regards

    Wolfgang



  • No it is not in 1.0.



  • Is this something that will be included in a future release?



  • Possibly.



  • wasn't it possibly with the RC versions to define rules?
    or was that just pseudo and didn't affect anyting?



  • No, it was never possible.



  • @GruensFroeschli:

    wasn't it possibly with the RC versions to define rules?
    or was that just pseudo and didn't affect anyting?

    It happened when people assigned the tunnelinterface as seperate interface. That was just a wrong way of setting it up which lead to the confusion as you then had a tab for it under firewallrules. This was not the right procedure to set it up.



  • Where could I manually add such rules so that they would be loaded the same time as the rules specified in the UI?



  • @talong99:

    Where could I manually add such rules so that they would be loaded the same time as the rules specified in the UI?

    There are no facilities for this.


Log in to reply