How to Filter a "Road warrior" OVPN connection
-
OK ok, before everyone piles on and says "you can't you can't" or "read other threads about this" (trust me, I have, much too much). I know for a fact (albeit it may have only been back in the 1.0 rev) that there were individuals (ref: http://forum.pfsense.org/index.php/topic,2228.0.html) that had configured (I believe manually) a tun interface for their OVPN setups, and even had an interface tab appearing in the Rules page, thus allowing them to configure rules for it. I know the maintainers of PF are apparently frowning on this, but I would LOVE to hear about how to do this–ostensibly unsupported--maneuver as the thought of having an unregulated, uncontrolled inbound connection into my environment doesn't thrill me.
I believe dairaen and Numbski made mention of having been successful at filtering their tunX interfaces in the above thread. It just strikes me that there must be a way to achieve this (even if it isn't "automagically" done by pfSense currently).
Thanks for any and all assistance with this, and apologies to any devs I may have annoyed in researching the answer to this.
-Alex
LIMITATION OF LIABILITY:
I remove any and all members of the pfSense project, or any other casual or incidental user of said product, from liability, flaming, reprisals, or other such mutterings beneath my breath in the event that any and all advise received and enacted comes to naught (or worse). -
Asenkevitch,
I too am a bit scared of a hole as I see it in pfsenses OpenVPN implementation. If my mobile user loses control of his laptop anyone with access to that machine can connect to my network. Yes, I can revoke the keys, but what if my user cant/doesnt tell me for several days. Also the adminsitration overhead of all those certificates gets cumbersome when you start getting beyond 10-15 users.
You want filtering which could add some protection to certain boxes segments, but what I would like is user authentication via RADIUS. Without the right credentials, nobody gets in. In fact they get locked out. That said, I have seen several posts of people who have done some twists and turns to get RADIUS, and PAM working, however we use the embedded version which has no package support. So my question is how can an enterprise using pfsense on the embedded platform sleep easy knowing they have certificates and authentication protecting the OpenVPN dooway??
I would love to help any bounty propsing for out of the box OpenVPN/RADIUS on the embedded platform if anyone knows of one.
Thanks,
Pedro