Question regarding Interfaces for VPN-Tunnels

[Matzke]

Hello,
I have a principle question about interfaces for VPN connections.

In the https://docs.opnsense.org/manual/how-tos/wireguard-client.html tutorial it is recommended (step 5a) to create one interface per Wireguard channel.

For this 2 questions
1) Do I define the firewall rules exclusively in this interface and leave the general Wireguard interface untouched?

2) Is this procedure also recommended for OpenVPN (one interface per OpenVPN connection)?

2a) If yes, do I define the rules only within this OpenVPN interface and do I see the original sources/destinations or the packaged ones of the OpenVPN transport network (for Site2Site) within this interface?

Thanks a lot

[Matzke]

Dear all,

is this question too difficult to answer?

I could not find any information in the documentation what the developers thought and how the basic configuration should be.
I also don't understand why individual interfaces are recommended for Wireguard and apparently not for other VPN technologies.

I would be very happy if someone from the core team would post a short answer.

[Patrick M. Hausen]

There is no general rule. Whether to create the firewall rules per VPN instance (interface) or a common set of rules for all instances (automatic interface group) is your decision and more of a management issue than anything else?

Do you have more than one instance at all?

How complex is the ruleset per instance? One "allow all" rule per connection, e.g. when connecting mutiple offices of a single company? I'd put them all in the group and give them suitable descriptions.

Several complex rules per instance for e.g. untrustworthy connections for remote support of customers? Create one interface per customer and put the rules there.

Entirely your choice.

[Matzke]

Dear Patrick,

thanks a lot for your answer.

Formerly I had interfaces per OpenVPN Instance just for better overview in firewall rules because I could define the rules on every interface instead have a lot of rules on the general OpenVPN Interface.

Like mentioned in this post https://forum.opnsense.org/index.php?topic=23460.msg112055#msg112055 I deleted all my sub-interfaces because it seems that it isn't desgined for subinterfaces.

After reading of the tutorial of wireguard I'm very confused which is the gold-standard.

So could you proof that it is okay to use subinterfaces on all VPN-Methods (wireguard as well as OpenVPN) without getting problems?

A little second question - OpenVPN as well as wireguard use transport-subnets which are only visible internally. When defining firewall-rules can I use the normal source and target of IP packets or do I have to filter the encapsulated transport-packages without knowing how it is translated into this transport-subnet.