Confused on where to lock down firewall for OpenVPN site to site

paulctan · July 16, 2021, 8:38pm

I followed the video How To Setup A Peer to Peer / Site to Site VPN Using OpenVPN On pfSense - YouTube and I successfully established a site to site VPN with OpenVPN as per the video. Now, I’m trying to lock it down to limit access to specific servers (i.e. specific IPs) on the OpenVPN server site. I.e. the OpenVPN client network should only access certain IPs on the OpenVPN server site. Using the video’s IP to talk about it, let’s say I want to limit computers on the 192.168.20.0/24 network to have access to only a specific server, let’s say 192.168.40.11. Where do I put the firewall rules to block everything from the 192.168.20.0/24 network to the 192.168.40.0/24 network except for 192.168.40.11?

Do I add a firewall run on the 192.168.20.1 pfSense? If so, do I add it on the OpenVPN interface or on the OPT1 interface (Firewall / Rules / OPT1)?

Or, do I add it into the server 192.168.40.1 pfSense? Do I add it to the OpenVPN interface?

I’ve tried adding it to several combinations of the above and it’s still passing my pings. Any help or links would be appreciated.

LTS_Tom · July 17, 2021, 9:32am

In this video, about half way through I dive into how to create firewall rules that restrict by IP address and that might help you with the concepts. The server side will only see the OpenVPN address so you will need rules on the client side to restrict what systems can traverse the VPN.

neogrid · July 17, 2021, 11:19am

The way I’ve setup my network with multiple vlans is to treat my OpenVPN connections as another network, while you can also configure the OpenVPN server with rules which may also work.

I’ve defined an alias for my subnets (including VPNs) which I use in rules for each network which controls which vlans can see each other, followed by a second rule which controls access to the WAN. So my IoT, Guest, CAM network can only access the WAN and the VPN, ISP networks can see everything.

paulctan · July 18, 2021, 9:45pm

Thanks! The video you pointed out showed me what I was missing - restarting the OpenVPN server. I was implementing the rules thinking that it would take hold in the firewall as soon as I applied it. Turns out that I needed to restart the OpenVPN server like you did in the video!