OpenVPN server connect to which vlans?



  • I successfully set up my OpenVPN server on my pfSense box, which is providing 3 vlans in my internal network.  When I connect via OpenVPN (UDP tun, in case it matters), I am able to connect to any of the vlans from outside my network (inside the network, none of these vlans can pass traffic to one another (block rules)). Is this the expected behaviour? Am I supposed to be able to access all vlans from outside?  If not, which settings do I change to impact on this?


  • Netgate

    What rules do you have on your OpenVPN tab (or assigned interface tab if you did that?) Those are the rules that govern what access your OpenVPN clients have.



  • Right now, no rules at all.  I suppose I should be adding "block" rules for all the vlans I don't want to have accessible by VPN?  Given that I am the only one using the VPN connection, and I am the system admin, is there any real security risk in leaving all the vlans accessible by VPN?



  • As Derelict mentioned, you can set this up any way that seems appropriate for your situation, it depends on what you're trying to accomplish with your VPN connection.

    As far as VLANs being a greater or lesser security risk, they're no different than any other multi-LAN setup.  VLANs simply let you carry multiple LANs on one set of switches, NICs, etc. rather than having to dedicate hardware to each new LAN subnet you wish to use.

    Most of my OpenVPN setups have a single "Allow any-any" rule on the VPN tab and that's all I need.
    To me, the major level of security comes from all your traffic on the VPN conx being encrypted and "invisible" to anyone outside.

    Your situation may differ of course, it's up to you.


  • Netgate

    @pfsensory:

    Right now, no rules at all.  I suppose I should be adding "block" rules for all the vlans I don't want to have accessible by VPN?  Given that I am the only one using the VPN connection, and I am the system admin, is there any real security risk in leaving all the vlans accessible by VPN?

    Best practice dictates that you only pass what you need and reject everything else. I have any any rules on my remote access VPN but the site-to-site to the main office only passes things like printers so those are the only connections that can come into my site from there.

    The real answer is it's up to you what to pass/not pass.



  • Thank you both for your comments and insight.  I think that since I am the only person with VPN access, I will probably leave things as they are.  It will actually be helpful for administrative purposes, as I have no access to some of the devices on the vlans (other than my regular LAN) in my network unless I physically plug a machine into the correct port on my switch.  So this way, if I need to manage one of the devices on another vlan, I can simply connect via VPN, and I will have access to all vlans.