Hope someone can help with this:
The goal is to restrict VPN client to client access with specific firewall rules
So when un-ticking the VPN server "Inter-client communication" I can no longer ping
other clients and can only ping the VPN interface IP which makes sense.
The problem:
I have enabled all traffic on the OpenVPN interface and all traffic on the TAP interface but can't
ping other clients anymore. I have read that IP forwarding needs to be enabled for this to work.
via the console IP forwarding seems to be enabled already?
root@OPNsense:/etc # sysctl -w net.inet.ip.forwarding=1
net.inet.ip.forwarding: 1 -> 1
Found this link https://serverfault.com/questions/736274/openvpn-client-to-client (https://serverfault.com/questions/736274/openvpn-client-to-client)
that explains a solution but involves IPTABLES.
Ok so using Topology subnet I can at least see ICMP traffic with tcpdump:
23:25:27.881576 IP 172.23.8.2 > 172.23.8.250: ICMP echo request, id 26390, seq 0, length 64
23:25:27.881609 IP OPNsense.localhost > 172.23.8.250: ICMP echo request, id 61533, seq 0, length 64
So traffic from 172.23.8.2 hits the firewall and it is sent to 172.23.8.250
My concern is tha the source address is not in the same subnet meaning the device at 172.23.8.250
does not send the reply back over the tunnel (I can't use Wireshark on the tunnel interface)