Text only | Text with Images

OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: leacho73 on February 27, 2023, 12:57:51 PM

Title: OpenVPN Clients Able to Talk To Each Other
Post by: leacho73 on February 27, 2023, 12:57:51 PM
Hi All,

I've just setup a new OpenVPN server on the latest Opnsense build and i noticed that 2 clients connected to the same server are able to ping each other, even though the Inter-client communication box is not checked. - is this a bug with the latest build or am i missing something?

The IPV4 Tunnel Network is 192.168.0.0/24 and I have noticed that 2 clients, 192.168.0.10 and 0.11 are able to ping each other.

Thanks
Leacho
Title: Re: OpenVPN Clients Able to Talk To Each Other
Post by: Fright on February 27, 2023, 03:43:26 PM
Hi
I thought that the 'client-to-client' option implies communication within the tunnel(s). without 'client-to-client' enabled, this traffic is controlled by the routing&pf settings. if you have 'allow any' rule for vpn clients, then it is likely that traffic will be possible (this has nothing to do with opnsense changes)
Title: Re: OpenVPN Clients Able to Talk To Each Other
Post by: leacho73 on February 27, 2023, 04:12:37 PM
So both 192.168.0.10 and 11 hosts are connected to the same tunnel - I assumed that the traffic wouldn't route between them - and would be handled by the tunnel? - not sure how I would go about adding a firewall rule stopping comm's on the same subnet? - I assumed the firewall only triggered on traffic entering the interface?
Title: Re: OpenVPN Clients Able to Talk To Each Other
Post by: Patrick M. Hausen on February 27, 2023, 04:28:08 PM
If you currently have created an explicit interface for your OpenVPN server and have a single rule e.g.

From: OpenVPN_Net
To: any
Action: allow

Then change this to:

1.
From: OpenVPN_Net
To: OpenVPN_Address (interface address of your firewall in the OpenVPN network)
Action: allow

2.
From: OpenVPN_Net
To: OpenVPN_Net
Action: deny

3.
From: OpenVPN_Net
To: any
Action: allow


The first rule is not stricly necessary but helps clients to e.g. ping the default gateway for debugging purposes. If you already have e.g. a floating "allow ICMP echo" rule, you can just drop it.

Rules are processed in order, so you can deny client-to-client traffic while permitting client-to-anything-else.

HTH,
Patrick
Title: Re: OpenVPN Clients Able to Talk To Each Other
Post by: leacho73 on February 27, 2023, 05:01:44 PM
Thanks Patrick, that's really helpful!!

Just want to check with the explicit interface for the openvpn server - do I need to give that interface an IP address as per the OpenVPN subnet? - for example 192.168.0.1/24 - or will that break the OpenVPN Server?

If I leave it without an IP address it knows it should be 192.168.0.1 - but I don't think it knows what subnet its in.

Thanks again!!
Title: Re: OpenVPN Clients Able to Talk To Each Other
Post by: Patrick M. Hausen on February 27, 2023, 05:15:19 PM
Sorry, not quite sure. Please experiment or wait for someone else to join the discussion. All WireGuard here, now.

If I remember correctly you do not need to give those "VPN interfaces" any IP configuration. You can create manual aliases for the network and the interface address to use in your rules.
Title: Re: OpenVPN Clients Able to Talk To Each Other
Post by: leacho73 on February 27, 2023, 05:20:46 PM
Got it sorted, thanks Patrick - your example worked perfectly (for me personally!) - I didn't use the interface in the end, I just made an alias of the IP subnet's that I don't want talking to each other and it's doing the job nicely.
Title: Re: OpenVPN Clients Able to Talk To Each Other
Post by: Patrick M. Hausen on February 27, 2023, 05:32:54 PM
Floating rule or OpenVPN group?
Text only | Text with Images