1
Virtual private networks / Restricting openVPN to a single VLAN to no other services
« on: June 10, 2024, 01:01:21 pm »
I'm trying to setup an openVPN server that will effectively only have access to 1 single VLAN. It should not be able to use the gateway as a WAN interface. I am trying to set it up so that the enduser cannot bypass the config we provide (noroute pull with a specific IP VS redirect-gateway def1) -
I have setup an openVPN server using the wizard:
- TCP port
- Listens for all interfaces
- Local network accessible only has the local network of the VLAN
- I have added the rule in the wizard to permit traffic from clients on the internet to the openvpn server process (I assume this rule is the one that allows for the public to connect to the actual VPN)
- I have not ticked the option to enable all traffic from connected clients to pass accross the VPN tunnel.
Following this, I created a test user, exported the config and can connect successfully. I then updated my local config to include redirect-gateway def1 so that I can test whether I can then use the firewall as a gateway to the public.
I can confirm that as things stand now, I can access the internet through the VPN, which I dont want (I did an IP check and can confirm the IP returned is the IP of the gateway).
I assume this is firewall rules, so had a look at the liveview so that I can try and estimate what is happening. When I access a specific website (knowing their IP address for the filter, the following rule is applied to allow th e traffic. The issue is that the src IP is the gateway IP, not a VPN IP:
|| || |WAN||2024-06-10T11:57:53|[GATEWAY IP MASKED]|[DESTINATION PUBLIC IP Masked]|tcp|let out anything from firewall host itself (force gw)|
The rule seems self explanatory, but I cannot disable the rule altogether as this will then stop the gateway from accessing the internet altogether. I simply just want to restrict the users connecting to the particular VPN from accessing anything accept a single IP in a VLAN already configured on the opnsense appliance.
As a further test, in the firewall live view I used the src IP 10.1.92.6, which is the IP assigned to the user. Interestingly enough the live view in the firewall shows no traffic for this particular IP, although the VPN user is connected to it. I expected some logs containing the IP, even when I try to access say a private IP.
I assume I am misunderstanding a core concept, so hope someone can help a brother out here as this seems like a simple setup but I am baffled with this
I have setup an openVPN server using the wizard:
- TCP port
- Listens for all interfaces
- Local network accessible only has the local network of the VLAN
- I have added the rule in the wizard to permit traffic from clients on the internet to the openvpn server process (I assume this rule is the one that allows for the public to connect to the actual VPN)
- I have not ticked the option to enable all traffic from connected clients to pass accross the VPN tunnel.
Following this, I created a test user, exported the config and can connect successfully. I then updated my local config to include redirect-gateway def1 so that I can test whether I can then use the firewall as a gateway to the public.
I can confirm that as things stand now, I can access the internet through the VPN, which I dont want (I did an IP check and can confirm the IP returned is the IP of the gateway).
I assume this is firewall rules, so had a look at the liveview so that I can try and estimate what is happening. When I access a specific website (knowing their IP address for the filter, the following rule is applied to allow th e traffic. The issue is that the src IP is the gateway IP, not a VPN IP:
|| || |WAN||2024-06-10T11:57:53|[GATEWAY IP MASKED]|[DESTINATION PUBLIC IP Masked]|tcp|let out anything from firewall host itself (force gw)|
The rule seems self explanatory, but I cannot disable the rule altogether as this will then stop the gateway from accessing the internet altogether. I simply just want to restrict the users connecting to the particular VPN from accessing anything accept a single IP in a VLAN already configured on the opnsense appliance.
As a further test, in the firewall live view I used the src IP 10.1.92.6, which is the IP assigned to the user. Interestingly enough the live view in the firewall shows no traffic for this particular IP, although the VPN user is connected to it. I expected some logs containing the IP, even when I try to access say a private IP.
I assume I am misunderstanding a core concept, so hope someone can help a brother out here as this seems like a simple setup but I am baffled with this