Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
OpenVPN Clients Able to Talk To Each Other
« previous
next »
Print
Pages: [
1
]
Author
Topic: OpenVPN Clients Able to Talk To Each Other (Read 1364 times)
leacho73
Newbie
Posts: 33
Karma: 0
OpenVPN Clients Able to Talk To Each Other
«
on:
February 27, 2023, 12:57:51 pm »
Hi All,
I've just setup a new OpenVPN server on the latest Opnsense build and i noticed that 2 clients connected to the same server are able to ping each other, even though the Inter-client communication box is not checked. - is this a bug with the latest build or am i missing something?
The IPV4 Tunnel Network is 192.168.0.0/24 and I have noticed that 2 clients, 192.168.0.10 and 0.11 are able to ping each other.
Thanks
Leacho
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: OpenVPN Clients Able to Talk To Each Other
«
Reply #1 on:
February 27, 2023, 03:43:26 pm »
Hi
I thought that the 'client-to-client' option implies communication within the tunnel(s). without 'client-to-client' enabled, this traffic is controlled by the routing&pf settings. if you have 'allow any' rule for vpn clients, then it is likely that traffic will be possible (this has nothing to do with opnsense changes)
«
Last Edit: February 27, 2023, 03:52:17 pm by Fright
»
Logged
leacho73
Newbie
Posts: 33
Karma: 0
Re: OpenVPN Clients Able to Talk To Each Other
«
Reply #2 on:
February 27, 2023, 04:12:37 pm »
So both 192.168.0.10 and 11 hosts are connected to the same tunnel - I assumed that the traffic wouldn't route between them - and would be handled by the tunnel? - not sure how I would go about adding a firewall rule stopping comm's on the same subnet? - I assumed the firewall only triggered on traffic entering the interface?
Logged
Patrick M. Hausen
Hero Member
Posts: 6807
Karma: 572
Re: OpenVPN Clients Able to Talk To Each Other
«
Reply #3 on:
February 27, 2023, 04:28:08 pm »
If you currently have created an explicit interface for your OpenVPN server and have a single rule e.g.
From: OpenVPN_Net
To: any
Action: allow
Then change this to:
1.
From: OpenVPN_Net
To: OpenVPN_Address (interface address of your firewall in the OpenVPN network)
Action: allow
2.
From: OpenVPN_Net
To: OpenVPN_Net
Action: deny
3.
From: OpenVPN_Net
To: any
Action: allow
The first rule is not stricly necessary but helps clients to e.g. ping the default gateway for debugging purposes. If you already have e.g. a floating "allow ICMP echo" rule, you can just drop it.
Rules are processed in order, so you can deny client-to-client traffic while permitting client-to-anything-else.
HTH,
Patrick
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
leacho73
Newbie
Posts: 33
Karma: 0
Re: OpenVPN Clients Able to Talk To Each Other
«
Reply #4 on:
February 27, 2023, 05:01:44 pm »
Thanks Patrick, that's really helpful!!
Just want to check with the explicit interface for the openvpn server - do I need to give that interface an IP address as per the OpenVPN subnet? - for example 192.168.0.1/24 - or will that break the OpenVPN Server?
If I leave it without an IP address it knows it should be 192.168.0.1 - but I don't think it knows what subnet its in.
Thanks again!!
Logged
Patrick M. Hausen
Hero Member
Posts: 6807
Karma: 572
Re: OpenVPN Clients Able to Talk To Each Other
«
Reply #5 on:
February 27, 2023, 05:15:19 pm »
Sorry, not quite sure. Please experiment or wait for someone else to join the discussion. All WireGuard here, now.
If I remember correctly you do not need to give those "VPN interfaces" any IP configuration. You can create manual aliases for the network and the interface address to use in your rules.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
leacho73
Newbie
Posts: 33
Karma: 0
Re: OpenVPN Clients Able to Talk To Each Other
«
Reply #6 on:
February 27, 2023, 05:20:46 pm »
Got it sorted, thanks Patrick - your example worked perfectly (for me personally!) - I didn't use the interface in the end, I just made an alias of the IP subnet's that I don't want talking to each other and it's doing the job nicely.
Logged
Patrick M. Hausen
Hero Member
Posts: 6807
Karma: 572
Re: OpenVPN Clients Able to Talk To Each Other
«
Reply #7 on:
February 27, 2023, 05:32:54 pm »
Floating rule or OpenVPN group?
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
OpenVPN Clients Able to Talk To Each Other