"let out anything from firewall host itself" overrides OpenVPN "Local Network"

[ltcptgeneral]

I have several OpenVPN server (legacy) setups with specific attached Local Network options for each one. However, a connected user can still connect to anything on the LAN network because of the "let out anything from firewall host itself" floating rule regardless of the Local Network value. Is there any way I can block this behavior without setting up individual rules for each VPN interface. Also, this behavior only started when I updated to 24.7.

[viragomann]

Just don't allow it.

When you fire up an OpenVPN server OPNsense creates the OpenVPN tab in the rules section and adds an allow any to any rule to it.
This OpenVPN is an interface group in fact, including all OpenVPN instances you're running, may be clients or servers.
Note that rules on interface groups have priority over rules on member interfaces.

If you don't want to allow access to certain local devices just add a block rule for this on the top of the OpenVPN tab.

[ltcptgeneral]

I could do this, but I would need to create rules for each OpenVPN interface because each one gets access to a different LAN subnet. I would like to avoid setting up individual rules for each connection because I've already specified which subnets i want to give access in the "local network" setting.

[Patrick M. Hausen]

I could do this, but I would need to create rules for each OpenVPN interface because each one gets access to a different LAN subnet.

Pick your poison 

Seriously, if you want fine grained control, the firewall rules are where you enforce it. There is no higher level abstraction in OPNsense.

HTH,
Patrick

[viragomann]

@ltcptgeneral
You should know, that the local network setting in OpenVPN just pushes the respective routes to the clients. But it's on the clients to set the routes on their devices. And there are OpenVPN clients out there, which by default route the whole upstream traffic to the OpenVPN server. E.g. NetworkManager on Linux.

Furthermore any client, who has the privilege to add routes on his device, can set routes manually.

So the "local network" setting doesn't grant or restrict access in any way. This has to be done with firewall rules.

If you have interfaces assigned to each server instance you can add your rules there, but keep in mind, that rules on the OpenVPN tab (interface group) may override these rules.

[ltcptgeneral]

Seriously, if you want fine grained control, the firewall rules are where you enforce it. There is no higher level abstraction in OPNsense.

I agree, but surely for a large number of VPN connections reflecting the OpenVPN options to the firewall automatically would be more secure than having a human manually perform this?

[viragomann]

No, the one thing configures the routing, the other the firewall. These settings should be separated and it is often needed to be.

For instance there are some use cases, where it's required to route the whole upstream traffic of the clients over the VPN. E.g. some companies requires this for their road warriors connections to filter their internet traffic.
So in this case in the OpenVPN server settings "redirect gateway" is checked to push the default route to the clients. But it's almost not desired to give the clients access to the whole local network.
So you have to add firewall rules to permit or block access according to what the clients need exactly.