Personal tools

OpenVPN Traffic Filtering on 1.2.3

From PFSenseDocs

Jump to: navigation, search
This article is part of the HOWTO series.

Contents

Summary

Starting with pfSense version 1.2.3, you can filter OpenVPN traffic with a few extra considerations involved. These steps are not needed for 2.0, since it can handle the filtering OpenVPN natively.

Hardwire Your OpenVPN Interface (optional)

In pfSense 1.2.3, there is no guarantee that the OpenVPN instance will always be tun0 or tap0 due to various behind-the-scenes processes. It may always line up how you want, but there are no guarantees.

In the custom configuration for each tunnel, specify an exact openvpn interface to use, such as tun9 or tap7.

Save the settings for each tunnel, and confirm that the proper interface names are being used.

Add Firewall Rules for VPN Peers

You must add firewall rules to your WAN address to allow traffic from your VPN peers. Normally, rules are in place automatically to allow this traffic, but those must be disabled as part of this process.

This may mean adding rules for allowing traffic in from any address to port 1194 for OpenVPN users, or allowing udp/500 and GRE/* for IPsec, this will vary depending on your installation and configuration.

Disable Automatic Rules

The automatic VPN rules must be disabled because that process also adds an 'allow all' rule to all OpenVPN interfaces, which is counter to our goal for this process. If you don't uncheck this box, your rules for the opt interface will not be used.

  • Go to System > Advanced
  • Check "Disable all auto-added VPN rules"
  • Save

Assign OpenVPN interface as OPT

  • Interfaces > (assign)
  • Click +
  • Choose the tun or tap interface you picked earlier
  • Click Save

Configure OPT interface

  • Interfaces > OPTx (your newly created OpenVPN interface)
  • Check enable
  • Fill in a name, or leave it as OPTx
  • Set for Static IP
  • Enter 'none' for an IP address
  • Save

Add Firewall Rules

  • Firewall > Rules
  • Click the OPTx tab or the name that coincides with the OpenVPN interface(s) you created.
  • Add rules
  • Save, Apply
Retrieved from "http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3"