Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limit openvpn to only one virtual interface

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fluca1978
      last edited by

      Hi all,
      not sure if this is possible, however I've got a pfsense box with a physical interface that shares three virtual interfaces. Is it possible to make an openvpn tunnel working only on one for one of such vlans? I mean, to make sure that connected clients cannot see nothing outside a vlan network? Should I do this in openvpn configuration (with something like the push instruction) or via a firewall rule?

      Any hint is appreciated.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Firewall rules would be best there. Even if you try to do this by controlling the routes, the client could just add its own route to get to the other subnets. Firewall rules would prevent the access no matter what they do.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • F
          fluca1978
          last edited by

          A doubt I've got is about where placing the blocking rules. I mean, I've got the openvpn that connects to a vlan, built on top of the lan card, and I'd like to protect all the lan/vlans about the openvpn traffic. Does it suffice to place the rule on the lan tab (i.e., on the master interface) or should I put it into every vlan tab or both?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Traffic coming from OpenVPN clients is governed by the rules on the OpenVPN tab (only available on 2.0). Place all of the pass/block rules there.

            Rules on the other tabs would only affect traffic going to the clients.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • F
              fluca1978
              last edited by

              Since I'm running pfsense 1.2 I guess I have to place a blocking rule on each other tab since I don't have an openvpn tab.

              Thanks.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                1.2 or 1.2.3? If it's 1.2, you seriously need to upgrade to at least 1.2.3

                If it's 1.2.3, you can still filter OpenVPN: http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3

                Adding rules on the other interfaces will only filter traffic going to OpenVPN clients, not from OpenVPN clients, probably not what you want.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • F
                  fluca1978
                  last edited by

                  I'm using 1.2.3, it is clear now what I have to do.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.