Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
openVPN not block network traffic
« previous
next »
Print
Pages: [
1
]
Author
Topic: openVPN not block network traffic (Read 966 times)
mauzilla
Newbie
Posts: 11
Karma: 0
openVPN not block network traffic
«
on:
October 14, 2022, 01:24:30 pm »
I have 2 openVPN servers:
VPN1 - 10.1.11.0/24
VPN2 - 10.1.90.0/24
LAN - 10.1.10.0/24
VPN1 I want to allow full access to the LAN network, for VPN2, I want to restrict this traffic to only a select set of IP Addresses on LAN (say for example IP 10.1.10.44, rest should all be blocked).
I am currently able to ping any IP on the 10.1.10.0/24 range from both VPN services, regardless what I apply for the rules.
My setup was:
I created an interface for both vpn's so that I can manage rules independantly
My rules are (per interface):
[openVPN]:
Block all traffic where the source is VPN2, destination set to all
I dont have any other rules (so realistically all traffic should be blocked on the openVPN interface)
[VPN1]
All allow traffic, all sources to all destinations
[VPN2]
1 allow rule where source is * and destination is a specific external IP (wanted to see if the VPN routes and it does route the correct IP here)
No other rules, thus I believe all traffic should be blocked
[LAN]
1) Source VPN2 with * destination blocked
2) Source * with * destination allowed (I am worried I lock myself out of the network)
What I am expecting is that VPN1 should work as expected (which it's doing) but VPN2 should not be able to ping any IP's on LAN at all and only have traffic allowed to the 1 external IP I have setup (this seems to work)
What am I missing here? How do I setup "VPN Specific" rules?
Logged
tiermutter
Hero Member
Posts: 1097
Karma: 61
Re: openVPN not block network traffic
«
Reply #1 on:
October 14, 2022, 01:40:15 pm »
I`ve got similar rules, allowing one wireguard VPN to any and blocking LAN for the other VPN.
INBOUND IPv4 * WG1 net * ! LAN net * * * Allow NAS-WG VPN to any but LAN
This works as expected, also ping is not possible to LAN.
Have a look at floating section, maybe there is a allow v4 ICMP rule for any?
Otherwise check FW log and activate logging of default pass rules (and any others) to see if there is a rule allowing pings.
Logged
i am not an expert... just trying to help...
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
openVPN not block network traffic