Restrict OpenVPN Client pipe to specific subnet

Started by darkmage, July 13, 2023, 10:52:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 13, 2023, 10:52:40 PM
Background: My company uses OpenVPN Connect (now called CloudConnexa), and I have my OpnSense using OpenVPN Client to connect to it, so that every work system doesn't have to run a separate client locally. The VPN is a split-tunnel, so only traffic going to our AWS VPC uses the VPN.

I have split my home office on one /25 and the rest of the house on another /25 with the hope of restricting access to the OpenVPN Client to just the office /25 versus the entire house. I have added an opt2 interface to the ovpnc entry as someone suggested originally on Reddit, but no firewall rules I try seem to be stopping LAN traffic from finding its way to the VPN.

Has anyone here ever done anything like this and can give pointers on what kind of firewall rule I need where to do it? Thanks!
July 14, 2023, 06:56:33 AM #1
Not sure if this is your meaning;

Created 2 separate Clients
Created 2 separate Interfaces
Created 2 aliases [for me 192.168.5.1-192.168.5.128 (USA VPN) and 192.168.5.129-192.168.5.256 (Europe VPN)
Set both created Interfaces as Upstream (Not sure if that is correct, but works) under System: Gateways:Single
Created 2 Outbound NAT; Interface {vpn1/vpn2} then selected the aliases for each vpn as Source then NAT :Interface Address;
QuoteNordVPN_USA            USA_VPN             *      *     *    Interface address    *    NO         
NordVPN_Germany    Germany_VPN     *    *    *    Interface address    *    NO         
Created LAN rules, selected alias 1 with gateway vpn1 and alias 2 with vpn 2;
QuoteIPv4 *    USA_VPN             *    *    *    NORDVPN_USA_VPNV4          
IPv4 *    Germany_VPN     *    *    *    NORDVPN_GERMANY_VPNV4

I mean, works exactly as I intended it to, so.
July 14, 2023, 02:57:06 PM #2
The aliases trick I haven't tried yet, so I'll do that. I was using LAN_net for the alias, which I would think would be the same thing?
July 14, 2023, 04:19:31 PM #3
I only use the Alias thing to group IP's. I mean its purpose is for many things but in this case Alias_1 is 1 group of ip Alias_2 is 2nd group.
July 17, 2023, 12:11:42 AM #4
So, still nothing has worked. Interestingly, I looked at the firewall logs, and if I have an SSH session from my workstation to a server on the other end of the OpenVPN tunnel, here's what I see in sessions:
An outbound connection from my workstation with no gateway IP to the remote server,'s private IP, and an inbound connection between the same two IPs, again with no gateway, being allowed by "let anything out by the firewall host itself"
Do I need to micromanage and make a rule for every remote private IP and block those subnets individually in rules? I assume the lack of a gateway is because the routes are getting established dynamically from the OpenVPN Client, which honestly I prefer. But it feels strange that I don't see the OpenVPN Client interface I defined in this exchange anywhere, even though that's clearly the route it's taking.
July 17, 2023, 07:10:04 PM #5
Ok, I've made progress. So I created a firewall alias for every private IP range on the far end of the VPN. I then changed the default lan rule to do a reverse destination match on that alias, and that seems to have blocked it.
So, my current need is solved, but I do feel like this is an area of improvement in the product. The OpenVPN Client interface should get auto-populated as a gateway for traffic it's responsible for routing, and then rules about things heading to that gateway could be made. That would be way more intuitive. This solution works, but every time we add or change a subnet on the VPN, every other system will auto-update, but I'll need to remember to change the alias on this one.
Print
Go Up Pages1
User actions