OpenVPN Rules using an OpenVPN interface



  • I am trying to set up an OpenVPN configuration to support a multi-layered approach to VPN access on my pfSense FW.  To that end I have created multiple OpenVPN server instances with different credentials and assigned each of the server interfaces to an optional interface;  I.E. Ops, Admin, Sec, etc. See attach for example.

    Now when I can create general rules for the standard OpenVPN interface and add access "permissions" through the OpenVPN_Ops interface … and others which are based on the connection used.  I intend to further refine access using Client Specific Overrides.

    The Problem:
    I use the <ovpn interface="">_net to restrict access when I create rules on the <ovpn interface="">but these rules don't "hit".  ((alias not populated on connect?))

    One of the main reasons that I want to do this is to restrict access as much as possible without having to hard code values ... especially since the OpenVPN GUI doesn't appear to honor Aliases.  We want to minimize the possibility of 'fat fingering' values and inadvertently opening holes or breaking configurations.

    Is there something I am missing here?  Seems like these aliases should be populated at connect time and honored in the rules.

    Is there a better way to do this?

    ![pfSense Ovpn interface.png](/public/imported_attachments/1/pfSense Ovpn interface.png)
    ![pfSense Ovpn interface.png_thumb](/public/imported_attachments/1/pfSense Ovpn interface.png_thumb)
    ![pfSense Ovpn interface Rules.png](/public/imported_attachments/1/pfSense Ovpn interface Rules.png)
    ![pfSense Ovpn interface Rules.png_thumb](/public/imported_attachments/1/pfSense Ovpn interface Rules.png_thumb)</ovpn></ovpn>


Log in to reply