Firewall and OpenVPN



  • Question before I accidentally block someones VPN  ;)….  I have a dozen or so OpenVPN tunnels on PFSense (PFsense 2 being the server).  I want to block certain tunnels from accessing certain IPs.    I am wondering on the source port could I specify the openVPN port it connects on and block from there.    Example VPN1 connects on port upd 1194 I want that to access the entire subnet.    VPN2 upd port 1195 I only want to access some certain IPs.    Could I simply define the source port upd 1195 when making my firewall rule?

    I do understand it applies to the entire remote subnet that is ok.  I do not know what IPs on the remote subnet are coming in as they are dynamic.  I just know anything connecting to VPN2 is a specific site which can only access certain IPs.

    Thanks in advance.



  • I am not sure if I really understand you correct.

    Do you have 2 OpenVPN Servers ? One using port 1194 and the other 1195 ? If yes then you have two different tunnel networks (source address in firewall rules) which you can use to allow/deny traffic. The sourceport should be in nearly all cases "any".

    If you onla have one OpenVPN server running and you would like that only some clients have full access and the others only limited that you can do this with "Client specific override". Just enter there the clients CN of the certificate and than assign a tunnel network with /30 as subnet mask. so the client with the corresponding cert/CN will always get the same IP address. then you are able to create rules on the firewall bei source IP addresses.


Locked