Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall and OpenVPN

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      deresistance
      last edited by

      Question before I accidentally block someones VPN  ;)….  I have a dozen or so OpenVPN tunnels on PFSense (PFsense 2 being the server).  I want to block certain tunnels from accessing certain IPs.    I am wondering on the source port could I specify the openVPN port it connects on and block from there.    Example VPN1 connects on port upd 1194 I want that to access the entire subnet.    VPN2 upd port 1195 I only want to access some certain IPs.    Could I simply define the source port upd 1195 when making my firewall rule?

      I do understand it applies to the entire remote subnet that is ok.  I do not know what IPs on the remote subnet are coming in as they are dynamic.  I just know anything connecting to VPN2 is a specific site which can only access certain IPs.

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        I am not sure if I really understand you correct.

        Do you have 2 OpenVPN Servers ? One using port 1194 and the other 1195 ? If yes then you have two different tunnel networks (source address in firewall rules) which you can use to allow/deny traffic. The sourceport should be in nearly all cases "any".

        If you onla have one OpenVPN server running and you would like that only some clients have full access and the others only limited that you can do this with "Client specific override". Just enter there the clients CN of the certificate and than assign a tunnel network with /30 as subnet mask. so the client with the corresponding cert/CN will always get the same IP address. then you are able to create rules on the firewall bei source IP addresses.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.