Block local openVPN connections



  • I noticed that several collegues don’t disconnect their openVPN client (lazy guys!) when they arrive at the office. Therefore the traffic to local servers is unnecessarily routed through the pfsense, because the TAP Adapter has the highest priority in windows.
    My old router (IPCOP) did block local VPN connection by default.

    I’ve tried to create a firewall rule to block local access, but it didn’t work:
    WAN Rule
    Action: Block
    Interface: WAN
    TCP/IP Version: Ipv4
    Protocol: UDP
    Source: LAN net
    Destination: WAN address
    Destination Port range: 1195 (our VPN port)

    What am I doing wrong?

    Best,
    Daniel



  • I think, you will use Outbound NAT. So the clients have the IP address your outbound NAT rule assignes to the outgoing connections.
    So replace the source address in your rule with the outbound NAT address to block these connections.



  • Put the rule on the LAN interface instead of WAN. The connections are coming in from the LAN interface and it's not possible to block them using WAN rules because the traffic is arriving to the WAN interface from the "inside" and not from the internet.



  • @kpa:

    because the traffic is arriving to the WAN interface from the "inside" and not from the internet.

    Thanks for correction. I haven't considered.



  • @viragomann:

    I think, you will use Outbound NAT. So the clients have the IP address your outbound NAT rule assignes to the outgoing connections.
    So replace the source address in your rule with the outbound NAT address to block these connections.

    I assume the "outbound NAT address" is equal to the "WAN address"?

    @kpa:

    Put the rule on the LAN interface instead of WAN. The connections are coming in from the LAN interface and it's not possible to block them using WAN rules because the traffic is arriving to the WAN interface from the "inside" and not from the internet.

    I tried (directly below the "Anti-Lockout rule"):

    Action: Block
    Interface: LAN
    TCP/IP Version: Ipv4
    Protocol: UDP
    Source: WAN address
    Destination: WAN address
    Destination Port range: 1195 (our VPN port)

    and also

    Action: Block
    Interface: LAN
    TCP/IP Version: Ipv4
    Protocol: UDP
    Source: LAN net
    Destination: WAN address
    Destination Port range: 1195 (our VPN port)

    But the clients are still able to connect to the openVPN Server within the LAN.

    Any ideas?



  • Just for reference: After updating to v2.2.2 I was able to block local openVPN access with the same rules described in previous post. Therefore it seems to be an issue of the 2.1 release.

    Problem solved.