OpenVPN firewall rules

[JesperAP]

Hello,

I am trying to use OPNsense as a VPN server. My goal is to have multiple VPN servers, one for every user group (LDAP group).

For every group I want to have firewall rules so that they can access specific networks. So for example developers can only access the dev server subnets and release managers access dev, test, acceptance and production servers.

The OpenVPN servers work, and every group gets its own servers.

But when I try to make firewall rules so specific groups can access specific subnets I get stuck.

When I check the logs, I bypass the firewalls because the connected user has an ip: 172.16.100.6 but in the logs the ping comes from the source 172.16.23.10 (<- OPNsense ip)

How can I fix that the client IP is the source.

I only have one NIC (WAN) because I thought I don't need a LAN for my usecase.

I hope I explained it right, I am dutch so if I need to explain it for you in dutch please send me a DM.

[JesperAP]

I found the answer myself.

In the OpenVPN server you can specify IP-ranges that the clients are allowed to visit. It is called "IPv4 Local Network".

If you fill in all the allowed addresses then the clients are only allowed to those IP's

[meschmesch]

Ipv4 local network is about routes pushed to the client. This has nothing to do with firewall rules. The alternative would be to do that same setting on the clients in my opinion. So in case of your configuration a client would add manually a route to 172.16.0.0/16 access should be given to all your subnets.

In my opinion it would be better to have explicit firewall rules for each vpn server (subnet).