Messages

1

24.7 Production Series / Re: "let out anything from firewall host itself" overrides OpenVPN "Local Network"

« on: October 08, 2024, 11:06:23 pm »

Seriously, if you want fine grained control, the firewall rules are where you enforce it. There is no higher level abstraction in OPNsense.

I agree, but surely for a large number of VPN connections reflecting the OpenVPN options to the firewall automatically would be more secure than having a human manually perform this?

2

24.7 Production Series / Re: "let out anything from firewall host itself" overrides OpenVPN "Local Network"

« on: October 07, 2024, 10:33:28 pm »

I could do this, but I would need to create rules for each OpenVPN interface because each one gets access to a different LAN subnet. I would like to avoid setting up individual rules for each connection because I've already specified which subnets i want to give access in the "local network" setting.

3

24.7 Production Series / "let out anything from firewall host itself" overrides OpenVPN "Local Network"

« on: October 07, 2024, 12:57:57 am »

I have several OpenVPN server (legacy) setups with specific attached Local Network options for each one. However, a connected user can still connect to anything on the LAN network because of the "let out anything from firewall host itself" floating rule regardless of the Local Network value. Is there any way I can block this behavior without setting up individual rules for each VPN interface. Also, this behavior only started when I updated to 24.7.

4

Virtual private networks / Re: openvpn client to vlan network gets IP but not gateway

« on: June 22, 2022, 09:44:17 pm »

I put the VPN server on its own interface and subnet range and bridged it with the existing VLAN. I also enabled interclient communication. Neither allowed the client to get a gateway

5

Virtual private networks / Re: openvpn client to vlan network gets IP but not gateway

« on: June 22, 2022, 09:12:31 pm »

I'm already using VLANs regardless of the OpenVPN setup, it automates routing permissions. My hope is to attach clients to their VLAN directly, avoiding extra manual work in defining rulesets for each client.

I will take a look at your suggestions using a bridge between the OpneVPN interface and VLAN interface.

6

Virtual private networks / Re: openvpn client to vlan network gets IP but not gateway

« on: June 22, 2022, 05:40:23 am »

Another observation, the client has received IP address 10.0.2.6 with a subnet mask of 255.255.255.252.
In the configuration, the client's tunnel network should be 10.0.2.0/24

7

Virtual private networks / openvpn client to vlan network gets IP but not gateway

« on: June 22, 2022, 03:18:47 am »

I'm a little new to vpn setup in general, so apologies if there is something simple I am missing.

I've created a simple setup:
I have a VLAN from 10.0.2.1/24 and vlan tag 11
I created an openvpn server with tunnel network of 10.0.2.0/24
The corresponding openvpn client also has tunnel network of 10.0.2.0/24

When I connect from a windows client, it is able to grab the IP 10.0.2.6, but has no gateway
The client is unable to connect to any other server on its vlan
Running tracert, the connection attempt uses the client's existing gateway instead of the vpn network's gateway

Any ideas on how to fix this issue? I suspect I need to add the vlan tag to the client's interface but I'm unsure of how to do that.