Limit openvpn to only one virtual interface

  • Hi all,
    not sure if this is possible, however I've got a pfsense box with a physical interface that shares three virtual interfaces. Is it possible to make an openvpn tunnel working only on one for one of such vlans? I mean, to make sure that connected clients cannot see nothing outside a vlan network? Should I do this in openvpn configuration (with something like the push instruction) or via a firewall rule?

    Any hint is appreciated.

  • Rebel Alliance Developer Netgate

    Firewall rules would be best there. Even if you try to do this by controlling the routes, the client could just add its own route to get to the other subnets. Firewall rules would prevent the access no matter what they do.

  • A doubt I've got is about where placing the blocking rules. I mean, I've got the openvpn that connects to a vlan, built on top of the lan card, and I'd like to protect all the lan/vlans about the openvpn traffic. Does it suffice to place the rule on the lan tab (i.e., on the master interface) or should I put it into every vlan tab or both?

  • Rebel Alliance Developer Netgate

    Traffic coming from OpenVPN clients is governed by the rules on the OpenVPN tab (only available on 2.0). Place all of the pass/block rules there.

    Rules on the other tabs would only affect traffic going to the clients.

  • Since I'm running pfsense 1.2 I guess I have to place a blocking rule on each other tab since I don't have an openvpn tab.


  • Rebel Alliance Developer Netgate

    1.2 or 1.2.3? If it's 1.2, you seriously need to upgrade to at least 1.2.3

    If it's 1.2.3, you can still filter OpenVPN:

    Adding rules on the other interfaces will only filter traffic going to OpenVPN clients, not from OpenVPN clients, probably not what you want.

  • I'm using 1.2.3, it is clear now what I have to do.

Log in to reply