OpenVPN restrict client access to specific ip address or ip addresses



  • Hi Guys,

    I've search the forums, but didn't really come across instructions on how to restrict openvpn clients access to specific ip address or ip addresses for PFsense 2.0.1 or pfsense 2.1.

    How can I do this?

    Is this being done in "client specific overrides" tab and can I ask what how to do it?

    or, is this being done in the firewall settings for LAN?

    Also, are there any changes to be done in the "Advanced" section for pfsense in terms of VPN auto rules, or anything like that?

    Thanks for your assist.

    Jits.



  • Limiting access initiated from the OpenVPN clients must be done on the Firewall's OpenVPN tab. You can limit the access there.
    the "Problem" on OpenVPN is that by general the clients will get different IPs when connecting to the OpenVPN server and so it will be difficult to create rules by source IP address. You can solve this problem with the "Client specific override".

    Client specific override needs certificates. Without certificate - which means you need to use SSL/TLS - CSO will not work.
    If you have certificates then you have to put the certificate's CommonName (CN) into the "client specific override" config and then add a "static" IP address to this OpenVPN client. Every OpenVPN client gets a /30 subnet so you have to assign this client a /30 subnet.

    Then you cann make firewall rules based on this /30 subnet.



  • Limiting access initiated from the OpenVPN clients must be done on the Firewall's OpenVPN tab. You can limit the access there.
    the "Problem" on OpenVPN is that by general the clients will get different IPs when connecting to the OpenVPN server and so it will be difficult to create rules by source IP address. You can solve this problem with the "Client specific override".

    Client specific override needs certificates. Without certificate - which means you need to use SSL/TLS - CSO will not work.
    If you have certificates then you have to put the certificate's CommonName (CN) into the "client specific override" config and then add a "static" IP address to this OpenVPN client. Every OpenVPN client gets a /30 subnet so you have to assign this client a /30 subnet.

    Then you cann make firewall rules based on this /30 subnet.

    Thanks for this Nachtfalke.

    I already have CSO's for remote POS receipt printers, and so, I initially thought there would also need to be some CSO's for limiting clients access to network resources, but did not figure on the openvpn firewall tab playing a role.

    I'm going to try this and report back. I'm sure there are other users out there who would find this useful as well.

    Thanks, Jits.



  • I'm struggling with the same problem but from the opposite end. I inherited a pfSense router from my predecessor and am trying to learn pfSense as I go. The problem I'm struggling with now is that he had setup a bunch of OpenVPN tunnels and one of the users is only able to hit certain IP on the inside network but needs to hit all. I did go through the Firewall Rules but cannot identify anything to cause this behavior. All the tunnels have a single rule configured with source and destination of any but with the port matching the port defined in the tunnel.

    When I look at the OpenVPN tab, I only see the different tunnels and the ability to modify those or create new ones….I don't see any way to limit clients' access to certain IPs. What am I missing?



  • Limiting client access to certain IPs must be done by firewall rules on the OpenVPN tab.
    If you assign a static IP/subnet (/30) to an OpenVPN client then you put this subnet as "Source" in the firewall rule and as destination the IP addresses this client should be able to connect to.

    Or did I misunderstand your question ?



  • Maybe…..let me be more detailed since I'm new to pfSense and OpenVPN, both, and may not be relating correctly.

    First off, I don't have tabs, I have drop down menus in pfSense. One menu is "Firewall" and has a "Rules" option under it where I can go to view/modify all the rules. Another menu is "VPN" and has an "OpenVPN" option under it where I can go to view/modify all the tunnels.

    In trying to learn I setup a test tunnel for myself: "TestTunnel" and the configuration looks like this:
    Protocol: UDP
    Dynamic IP: Unchecked
    Local Port: 1250
    Address Pool: 192.168.250.0/24
    Use Static IPs: Unchecked
    Local Network: 192.168.0.0/24
    Remote Network: Blank
    Client-to-client VPN: Unchecked
    Cryptography: BF-CBC (128-bit)
    Authentication Method: PKI (Public Key Infrastructure
    Shared Key: Blank
    CA Certificate: I copied this value from another tunnel my predecessor created
    Server Certificate: I copied this value from another tunnel my predecessor created
    Server Key: I copied this value from another tunnel my predecessor created
    DH Parameters: I copied this value from another tunnel my predecessor created
    CRL: Blank
    DHCP-Opt.:DNS-Domainname: Blank
    DHCP-Opt.:DNS-Server: Blank
    DHCP-Opt.:WINS-Server: Blank
    DHCP-Opt.:NBDD-Server: Blank
    DHCP-Opt.:NTP-Server: Blank
    DHCP-Opt.:NetBIOS Node Type: None
    DHCP-Opt.:NetBIOS Scope: Blank
    DHCP-Opt.:Disable NetBIOS: Checked
    LZO Compression: Checked
    Custom Options: Blank
    Description: TestTunnel

    In the same page, I have a Client-specific Configuration tab which has one rule in it that pushes the 192.168.0.0 route. My predecessor created this and I believe it works correctly.

    And then I have one rule and it is configured like this:
    Action: Pass
    Disabled: Unchecked
    Interface: WAN
    Protocol: UDP
    Source:
      Not: Unchecked
      Type: Any
      Address: Blank
    Source OS: Any (grayed out)
    Destination:
      Not: Unchecked
      Type: Any
      Address: Blank
    Destination Port Range:
      From: Other - 1250
      To: Other - 1250
    Log: Checked
    No XMLRPC Sync: Unchecked
    Schedule: None
    Gateway: Default
    Description: Inbound_OVPN_TestTunnel_1250

    And none of the Advanced options were modified from default.

    So, at this point, I am able to connect the tunnel from my home and I am able to ping and https into the router which is at 192.168.0.2. I am also able to ping other devices at 192.168.0.11 and 192.168.0.123 so I know the connection is good. The problem, however, is that I can't ping all the devices on that network. For example, I get a timeout on 192.168.0.115 but if I plug in on the lan itself (not over VPN) 192.168.0.115 does reply.

    So I'm not sure where but it appears that somewhere there must be a control limiting my access to certain IPs and not all. Since alot of these settings were copied from another tunnel/rule that my predecessor made it is possible that I'm inheriting some restrictions intended for that tunnel but I'm not sure where to find that. One thought I had was that it may be built into the certs I'm borrowing but I couldn't figure out how to create a new cert to prove it.



  • Hi,

    the rule you have is active on interface "WAN". this a rule which allows you to connect to the OpenVPN server and start to establish the VPN tunnel from the outside world.
    But this rule does not tell you what is allowed within the VPN tunnel. You can configure separte firewall rules for traffic within the VPN. This can be done by going to FIREWALL -> Rules. On this page you found a tab or pulldown for "OpenVPN". There you can modify the rules for the VPN clients. Here you have to check what is allowed and what is not allowed.

    If the rules are okay then make sure that the host you want to connect to (192.168.0.115) has no internal firewall which blocks pings from other subnets than the own it is located on.
    –-- edit ----

    @WRI
    In another thread you created I read something about that you use pfsense 1.2.3. I am not familar with this version. I am using 2.x. So probably the GUI is different and the fuctions are different, too.
    Sorry for that.



  • Thanks Nacgtfalke - Yes, I posted a fresh thread in addition to this one, here's what I posted last so that it's all in one place.

    When I look under Firewall–>Rules I don't see an OpenVPN tab but I do see a tab named OPT1PLC which, I assume, is Option 1 and PLC is actually the name of the network I'm trying to tunnel to.

    In there are about a dozen allow rules and 1 deny but none of them appear to be allowing me to ping the devices that do succeed, much less denying the devices that fail. Actually, all of them have destination addresses which would not cover the address I'm pinging from.

    Just to be sure though I made another rule here and included "OPT1PLC net" as as my Source and put in my own subnet as my destination with both the Ports and the Gateway fields set to * but saw no difference. The new test rule is at the top so we don't interfere with any other rules.

    So if I'm understanding correctly, under Firewall–>Rules we establish what traffic can come in and therefore what tunnel can be created, which appears to be working correctly.

    Under Firewall-->Rules-->OPT1PLC we would establish what traffic can come back out and therefore respond to the tunnel. If that's the case then is all traffic denied until explicitly allowed? If so then I would think that my test rule above should have fixed my problem but it didn't seem to make a difference......is there some magic to the format of these outbound rules that's different?



  • The other thing to check is that the devices that do not respond (e.g. 192.168.0.115) do have their default gateway set to your pfSense LAN address (192.168.0.2). Devices like WiFi APs etc often get setup with their IP address/netmask on the LAN, but no-one enters a default gateway for them (or their default gateway is set to some old router address from years ago…). So they talk happily on the LAN, but can't get outside.


Log in to reply