[SOLVED] OpenVPN firewall rule issue
-
Good morning,
I have an issue with my firewall rules relating to OpenVPN and I am hoping that someone can assist me please? I imagine it's something minor that I am overlooking, so please put me out of my misery!
I have setup my OpenVPN and have successfully configured it to work with client specific overrides so that individual users get assigned static IPs. This all works perfectly and each user is able to gain access and gets the desired IP.
As I am the owner of the system I have added a firewall rule to the OpenVPN tab which grants my static IP access to everything: this works as intended and I can access all internal network devices and the internet through my WAN interface.
However, the issue I am having is to do with other users with restricted access. I have added the static IPs for these users to an alias and set a rule to pass their traffic to a specific IP on my network, as this is the only device I want them to have access to on my network: this works perfectly and these users can only see and access this IP. This blocked their access to the internet through the WAN though and I want them to have this as well. I assumed that setting a second firewall rule in the OpenVPN tab to pass their alias to the "WAN net" would work but still no access. I tried "WAN address" instead, still no access. I manually tried the WAN gateway IP but still no access. If I amend the rule to allow access to everything they get internet access through the WAN but of course get the whole internal network again, which I do not want.
Do I have my destination option set incorrectly? I was sure it would be one of the WAN options but they just don't work. Any advice would be greatly appreciated please.
-
Perhaps, you could post screenshots of what you did set up where, instead of describing what you did set up.
-
Perhaps, you could post screenshots of what you did set up where, instead of describing what you did set up.
Hi, thanks for replying. Sorry I haven't posted further since, a crazed toddler has been demanding all attention the last few days. I have added screenshots of my firewall rule tab summaries to this post. The aliases are purely containing the static IPs for users on the sources and an alias containing just the IP for my NAS for the destination in the rule to allow them access to that. As you can see, I added a rule to the OpenVPN tab to allow the alias IPs to access the "WAN net", though I have also tried the "WAN address" option with no success. I also tried manually setting the WAN gateway IP as a destination but no luck there either. The only way to let the alias IPs to access the WAN is to allow them to access any destination, then they get back to the internet with no issue.
If you need anything else, please let me know.
-
WAN net is not the internet. WAN net is the subnet on your WAN interface. For all of the internet use any.
You will want to block local networks/assets you do NOT want these users to have access to with rules above the pass any rule.
-
WAN net is not the internet. WAN net is the subnet on your WAN interface. For all of the internet use any.
You will want to block local networks/assets you do NOT want these users to have access to with rules above the pass any rule.
So I am not able to purely specify to pass traffic for those users to only the internet? I have to allow them access to everything then go through and manually create rules to block access to everything else on the network? That seems a bit bizarre, why can't I just grant them pass access to the internet?
-
Think about it. What are the destination addresses on the internet?
Yes, maintaining a firewall can be work.
-
Think about it. What are the destination addresses on the internet?
Yes, maintaining a firewall can be work.
I understand that, I obviously can't list every address on the internet. But isn't there a means to permit the VPN clients to purely access through the WAN interface to the internet?
-
No.
You can usually make an RFC1918 alias and make one rule for that and one for this firewall and catch about everything.
-
No.
Thanks for clarifying it. Can you explain why as I don't understand the technical reason for not being able to permit all traffic outbound on a specific interace regardless of the destination address?
-
Because it doesn't work that way. I suppose if you policy-routed that rule out WAN it might be the equivalent. I'd still want the block rules for other local assets. Someone who knows the internals better than I do would have to speak as to whether simply policy-routing out WAN would be enough.
You would absolutely want to uncheck System > Advanced > Miscellaneous tab Skip rules when gateway is down if you are going to rely on policy routing as a security measure. I would advise against it.
-
Because it doesn't work that way. I suppose if you policy-routed that rule out WAN it might be the equivalent. I'd still want the block rules for other local assets. Someone who knows the internals better than I do would have to speak as to whether simply policy-routing out WAN would be enough.
You would absolutely want to uncheck System > Advanced > Miscellaneous tab Skip rules when gateway is down if you are going to rely on policy routing as a security measure. I would advise against it.
Thank you for answering, I appreciate it. As you have likely worked out, I am relatively new to this and trying to improve my knowledge and ability.
For my purpose i.e. wanting a group of VPN users to have access to one particular device on my network and internet access, but no access to anything else, would it be effective and efficient to use some form of subnet/VLAN to segregate all of the secure devices onto one to which they have no access while the one device and the WAN interface access sits on another to which they do have access?
-
It doesn't matter where the WAN is. If you have all the things you want to protect on one network then you can block the access to everything with one rule.
But if you have one asset on, say, LAN that you want them to be able to access, just pass access to that one thing then block LAN net then pass any.
1. Pass specific local assets you want them to access (specific host on LAN)
2. Block more general things you don't want them to access (LAN net, This firewall)
3. Pass everything else (the internet) -
It doesn't matter where the WAN is. If you have all the things you want to protect on one network then you can block the access to everything with one rule.
But if you have one asset on, say, LAN that you want them to be able to access, just pass access to that one thing then block LAN net then pass any.
1. Pass specific local assets you want them to access (specific host on LAN)
2. Block more general things you don't want them to access (LAN net, This firewall)
3. Pass everything else (the internet)Thank you so much, that has worked perfectly. That is what I was trying to achieve, I had just wrongly assumed that I would be able to purely open access to just the one local asset and the outbound WAN. I understand now, time to go find something else to break!