Confused on where to lock down firewall for OpenVPN site to site

I followed the video How To Setup A Peer to Peer / Site to Site VPN Using OpenVPN On pfSense - YouTube and I successfully established a site to site VPN with OpenVPN as per the video. Now, I’m trying to lock it down to limit access to specific servers (i.e. specific IPs) on the OpenVPN server site. I.e. the OpenVPN client network should only access certain IPs on the OpenVPN server site. Using the video’s IP to talk about it, let’s say I want to limit computers on the network to have access to only a specific server, let’s say Where do I put the firewall rules to block everything from the network to the network except for

Do I add a firewall run on the pfSense? If so, do I add it on the OpenVPN interface or on the OPT1 interface (Firewall / Rules / OPT1)?

Or, do I add it into the server pfSense? Do I add it to the OpenVPN interface?

I’ve tried adding it to several combinations of the above and it’s still passing my pings. Any help or links would be appreciated.

In this video, about half way through I dive into how to create firewall rules that restrict by IP address and that might help you with the concepts. The server side will only see the OpenVPN address so you will need rules on the client side to restrict what systems can traverse the VPN.

1 Like

The way I’ve setup my network with multiple vlans is to treat my OpenVPN connections as another network, while you can also configure the OpenVPN server with rules which may also work.

I’ve defined an alias for my subnets (including VPNs) which I use in rules for each network which controls which vlans can see each other, followed by a second rule which controls access to the WAN. So my IoT, Guest, CAM network can only access the WAN and the VPN, ISP networks can see everything.

Thanks! The video you pointed out showed me what I was missing - restarting the OpenVPN server. I was implementing the rules thinking that it would take hold in the firewall as soon as I applied it. Turns out that I needed to restart the OpenVPN server like you did in the video!

1 Like