OpenVPN: How to not allow WAN traffic?


  • I am looking to add a second user and allow OpenVPN access to my PFSense Box. I use the box myself and force all traffic through the VPN, however, for the second user, I would only like allow them to access LAN resources via VPN.

    In other words: "go ahead access the CIFS Shares, but don't bog down my network with your casual browsing traffic". Granted, this would only be for this specific user, the rest of the users, I would like all of their traffic to go through the VPN.

    Is this possible to set up? If so, anybody have any resources on how to do this they could point me towards?

    Thanks in advance!



  • Thanks for the reply. I found that a while ago, I guess I am still unclear as to how I would configure this to not allow WAN traffic to go through my pfsense box…


  • So what's the concrete trouble with that?

    In the OpenVPN server config ensure that you haven't set the mark at Topology, so that the server allocates a /30 subnet to each client.

    Then add a client specific override for the desired user, enter the common name which matches to the users cert. At "Tunnel Network" enter a /30 subnet which should be assigned to this user, recommended in the upper range of your servers tunnel subnet. E.g. if your servers tunnel subnet is 10.0.8.0/24, use 10.0.8.248/30.
    At "IPvX Remot Network/s" enter your LAN network(s) to push the route(s) to the client. Don't check "Redirect gateway"! If needed also enter DNS servers below. Save the settings.

    Now you can add a block rule to your OpenVPN interface to ensure the user can't route the hole traffic over vpn by himself. E.g.

    
    Act      Proto           Source        Port        Destination     Port       Gateway    Queue
    block      *         10.0.8.248/30      *          !LAN net         *           *        none        
    

    At destination check "not" and select LAN net below. Put this rule to the top of the interfaces rule set.
    So this will block access from the specified user to anything, but your LAN subnet.


  • or just don't NAT the openvpn subnet.


  • You essentially have two options:

    • Configure a client specific override for that one user and each future user with the same situation

    • Configure a 2nd OpenVPN server… one full tunnel and one split tunnel.  Then just export the split tunnel package when needed

    From a management overhead standpoint, I think option#2 makes more sense.  This is also the solution that I've implemented.