OpenVPN Clients Able to Talk To Each Other

Started by leacho73, February 27, 2023, 12:57:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 27, 2023, 12:57:51 PM
Hi All,

I've just setup a new OpenVPN server on the latest Opnsense build and i noticed that 2 clients connected to the same server are able to ping each other, even though the Inter-client communication box is not checked. - is this a bug with the latest build or am i missing something?

The IPV4 Tunnel Network is 192.168.0.0/24 and I have noticed that 2 clients, 192.168.0.10 and 0.11 are able to ping each other.

Thanks
Leacho
February 27, 2023, 03:43:26 PM #1 Last Edit: February 27, 2023, 03:52:17 PM by Fright
Hi
I thought that the 'client-to-client' option implies communication within the tunnel(s). without 'client-to-client' enabled, this traffic is controlled by the routing&pf settings. if you have 'allow any' rule for vpn clients, then it is likely that traffic will be possible (this has nothing to do with opnsense changes)
February 27, 2023, 04:12:37 PM #2
So both 192.168.0.10 and 11 hosts are connected to the same tunnel - I assumed that the traffic wouldn't route between them - and would be handled by the tunnel? - not sure how I would go about adding a firewall rule stopping comm's on the same subnet? - I assumed the firewall only triggered on traffic entering the interface?
February 27, 2023, 04:28:08 PM #3
If you currently have created an explicit interface for your OpenVPN server and have a single rule e.g.

From: OpenVPN_Net
To: any
Action: allow

Then change this to:

1.
From: OpenVPN_Net
To: OpenVPN_Address (interface address of your firewall in the OpenVPN network)
Action: allow

2.
From: OpenVPN_Net
To: OpenVPN_Net
Action: deny

3.
From: OpenVPN_Net
To: any
Action: allow


The first rule is not stricly necessary but helps clients to e.g. ping the default gateway for debugging purposes. If you already have e.g. a floating "allow ICMP echo" rule, you can just drop it.

Rules are processed in order, so you can deny client-to-client traffic while permitting client-to-anything-else.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 27, 2023, 05:01:44 PM #4
Thanks Patrick, that's really helpful!!

Just want to check with the explicit interface for the openvpn server - do I need to give that interface an IP address as per the OpenVPN subnet? - for example 192.168.0.1/24 - or will that break the OpenVPN Server?

If I leave it without an IP address it knows it should be 192.168.0.1 - but I don't think it knows what subnet its in.

Thanks again!!
February 27, 2023, 05:15:19 PM #5
Sorry, not quite sure. Please experiment or wait for someone else to join the discussion. All WireGuard here, now.

If I remember correctly you do not need to give those "VPN interfaces" any IP configuration. You can create manual aliases for the network and the interface address to use in your rules.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 27, 2023, 05:20:46 PM #6
Got it sorted, thanks Patrick - your example worked perfectly (for me personally!) - I didn't use the interface in the end, I just made an alias of the IP subnet's that I don't want talking to each other and it's doing the job nicely.
February 27, 2023, 05:32:54 PM #7
Floating rule or OpenVPN group?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions