I'm sorry to ask a question thats probably been asked 1000 times before.
I am trying to do some best-practises firewalling between me and my friends site-to-site openVPN tunnel.
Lets say the network looks like this:
Local(My) network: 192.168.1.0/24
Remote site-to-site network: 192.168.2.0/24
Local tunnel endpoint 192.168.10.1
Remote tunnel endpoint: 192.168.10.2
I have no idea what kind of people that might connect on his network, so I will try to be alittle strict with that I will let pass through the tunnel.
So I guess the best way to go, is probably to specify what IS allowed through, instead of specifying everything that is NOT allowed.
Now my question is about how to specify the source when filtering the traffic. If I understand correctly, the filtering is happening on the OpenVPN-tab. Can I set the source to be that whole subnet on his end (192.168.2.0/24) and thats good? Or can I specify the tunnel-IP as a source, and in that way block/allow from that particular tunnel to him, no matter what subnet he has? (I have more VPN tunnels to other people). In other words, can I use source 192.168.10.2?
He may have other VPN-tunnels on his end to other people, and I would like to restrict access for them (but maybe still allow him(his subnet) access, so they don't just "bridge" theire way onto my home network. How can this be avoided?
Pass the specific traffic you want to come through. Everything else will be blocked.
The traffic will be coming from the 192.168.2.0/24 network unless he is natting it, in which case it will come from his tunnel IP.
So, say you want anyone on his LAN to be able to connect to a web server at 192.168.1.100:80. You could put this on the OpenVPN Tab:
Pass IPv4 TCP any any dest 192.168.1.100 port 80
That's all pfSense will allow in through that OpenVPN tunnel. Everything else will be blocked, just like any other interface.