OpenVPN Firewalling

  • I'm sorry to ask a question thats probably been asked 1000 times before.

    I am trying to do some best-practises firewalling between me and my friends site-to-site openVPN tunnel.
    Lets say the network looks like this:

    Local(My) network:
    Remote site-to-site network:
    Local tunnel endpoint
    Remote tunnel endpoint:

    I have no idea what kind of people that might connect on his network, so I will try to be alittle strict with that I will let pass through the tunnel.
    So I guess the best way to go, is probably to specify what IS allowed through, instead of specifying everything that is NOT allowed.

    Now my question is about how to specify the source when filtering the traffic. If I understand correctly, the filtering is happening on the OpenVPN-tab. Can I set the source to be that whole subnet on his end ( and thats good? Or can I specify the tunnel-IP as a source, and in that way block/allow from that particular tunnel to him, no matter what subnet he has? (I have more VPN tunnels to other people). In other words, can I use source

    He may have other VPN-tunnels on his end to other people, and I would like to restrict access for them (but maybe still allow him(his subnet) access, so they don't just "bridge" theire way onto my home network. How can this be avoided?


  • LAYER 8 Netgate

    Pass the specific traffic you want to come through.  Everything else will be blocked.

    The traffic will be coming from the network unless he is natting it, in which case it will come from his tunnel IP.

    So, say you want anyone on his LAN to be able to connect to a web server at  You could put this on the OpenVPN Tab:

    Pass IPv4 TCP any any dest port 80

    That's all pfSense will allow in through that OpenVPN tunnel.  Everything else will be blocked,  just like any other interface.

Log in to reply