Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    OpenVPN Firewalling

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 822 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      Sqvirrel
      last edited by

      I'm sorry to ask a question thats probably been asked 1000 times before.

      I am trying to do some best-practises firewalling between me and my friends site-to-site openVPN tunnel.
      Lets say the network looks like this:

      Local(My) network: 192.168.1.0/24
      Remote site-to-site network: 192.168.2.0/24
      Local tunnel endpoint 192.168.10.1
      Remote tunnel endpoint: 192.168.10.2

      I have no idea what kind of people that might connect on his network, so I will try to be alittle strict with that I will let pass through the tunnel.
      So I guess the best way to go, is probably to specify what IS allowed through, instead of specifying everything that is NOT allowed.

      Now my question is about how to specify the source when filtering the traffic. If I understand correctly, the filtering is happening on the OpenVPN-tab. Can I set the source to be that whole subnet on his end (192.168.2.0/24) and thats good? Or can I specify the tunnel-IP as a source, and in that way block/allow from that particular tunnel to him, no matter what subnet he has? (I have more VPN tunnels to other people). In other words, can I use source 192.168.10.2?

      He may have other VPN-tunnels on his end to other people, and I would like to restrict access for them (but maybe still allow him(his subnet) access, so they don't just "bridge" theire way onto my home network. How can this be avoided?

      Regards

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Pass the specific traffic you want to come through.  Everything else will be blocked.

        The traffic will be coming from the 192.168.2.0/24 network unless he is natting it, in which case it will come from his tunnel IP.

        So, say you want anyone on his LAN to be able to connect to a web server at 192.168.1.100:80.  You could put this on the OpenVPN Tab:

        Pass IPv4 TCP any any dest 192.168.1.100 port 80

        That's all pfSense will allow in through that OpenVPN tunnel.  Everything else will be blocked,  just like any other interface.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.