OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: flushell on September 28, 2018, 04:08:00 pm

Title: OpenVPN: OpenVPNServer Interface - usefull?
Post by: flushell on September 28, 2018, 04:08:00 pm

I have a working OpenVPN server on my up-to date OPNsense (18.7.4) box.
In the Firewall-Rules tab there are 2 instances related to this server:


1 OpenVPN
2 OpenVPNServer


1. there is a rule here to pass traffic from the tunnel to my LAN
2. is empty.

Furthermore:
2. corresponds to a interface with the same name.
This interface get's the first IP of my tunnel network (I don't know how it knows that, because the settings in the interface are empty).
I can disable this interface - and the VPN still works!
If I, however, check "Block Private Networks" in the interface settings: I can connect to the VPN but I can not use internet (everything seems blocked) - So it seems to have some sort of function.

Questions bothering me:
- What is the function of the Firewall instance of OpenVPNServer?
- What is the function of the OpenVPNServer interface and why can I disable it without consequence?
- How does the OpenVPNServer interface gets it's IP?

Title: Re: OpenVPN: OpenVPNServer Interface - usefull?
Post by: mitra7 on September 28, 2018, 05:15:48 pm

OpenVPN Interface on the Firewall Section is usefull in some scenarios.
Imagine you don't want the remote VPN server accessing to your PFSense/OPNSense, this only applies if you have services listening on all interfaces.
By blocking incoming connections you deny the server to reach for example your 80, 443 or 22 port, or even ICMP.
Usually I use the OpenVPN interface to NAT the remote VPN network to the rest of my network, it can be used also if you are working with a Site-To-Site VPN
OpenVPNServer interface gets ip because when the VPN starts it is creates an interface usually called tunX (tun0, tun1...) and it will assign the first ip address from the ip range you specify in the vpn config.

I hope this helps

Title: Re: OpenVPN: OpenVPNServer Interface - usefull?
Post by: flushell on September 28, 2018, 08:21:44 pm

Not really, but thanks.

I get somehow the impression that the two sections in the Firewall Rules are linked after some fiddeling with the settings: If I copy the pass rule from 1 to 2 (OpenVPN to OpenVPNServer) all is working well.

Maybe OpenVPN is some sort a symlink or alias to OpenVPNServer?

Edit:
I found an old topic (https://forum.opnsense.org/index.php?topic=4986.0) with the same question(s) as me. Especially the third post (https://forum.opnsense.org/index.php?topic=4986.msg19825#msg19825). It is not anwered though...