OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: rems14 on April 11, 2017, 02:01:12 pm

Title: OpenVPN and firewall rules
Post by: rems14 on April 11, 2017, 02:01:12 pm: Hi!

I followed the tuto "Setup SSL VPN Road Warrior (https://docs.opnsense.org/manual/how-tos/sslvpn_client.html)" successfully except firewall rules.
The VPN network subnet is : 10.10.22.0/24 (set in VPN -> OpenVNP -> Servers -> IPv4 Tunnel Network field : 10.10.22.0/24)
In Firewall -> Rules -> OPENVPN tab, I added a rule to allow connections from VPN clients to the LAN network.
Code: [Select]
Proto Source Port Destination Port Gateway Schedule Description IPv4 * OpenVPN net * LAN net * * - Allow VPN traffic to LANThis rule don't work (VPN clients couldn't ping LAN clients).
So, I've modified the rule like this :
Code: [Select]
Proto Source Port Destination Port Gateway Schedule Description IPv4 * 10.10.22.0/24 * LAN net * * - Allow VPN traffic to LANand this rule work!

My question is : why is "10.10.22.0/24" required instead of "OpenVPN net"?

Thanks
Title: Re: OpenVPN and firewall rules
Post by: theq86 on April 11, 2017, 04:19:26 pm: Some thoughts about the topic and other questions probably:

* opnSense can work as OpenVPN client or OpenVPN server, or both together
* Either mode can have multiple entries (So you can be client-side connected with 3 remote OpenVPN servers and provide 2 OpenVPN servers on your opnSense at the same time)

This would lead to a number of 5 different networks (in the above case) that the opnSense has to care about.
In firewall settings there is just one OpenVPN tab. What connection is it for?
It is not even labeled with a client/server description to distinguish the networks.

Since there can be much ambiguation I guess you have to specify the network addresses manually.

But I'm also interested in how that works and how OpenVPN is mapped to interfaces and firewall sections.
Title: Re: OpenVPN and firewall rules
Post by: theq86 on April 11, 2017, 08:36:12 pm: I played around a little bit with OpenVPN clients and servers.
No matter how many servers or clients you specify, there will be only ONE OpenVPN Tab in the firewall.

Are ALL packets from EVERY tap/tun device treated by these OpenVPN Firewall rules?

Why is it possible to assign an interface to an OpenVPN server/client (e.g. ovpns1, ovpnc2 etc) when everything is handled in the OpenVPN options?

Very strange.
Title: Re: OpenVPN and firewall rules
Post by: djGrrr on April 14, 2017, 10:37:03 pm: IMO it is much better to assign an interface to each OpenVPN instance and completely ignore the OpenVPN group, this allows you to separate firewall rules for better security and avoid conflicts
Title: Re: OpenVPN and firewall rules
Post by: BlackDragon381 on April 19, 2017, 06:09:48 pm: My openvpn doesn't work even with direct network subnet in source.