OpenVPN Traffic Filtering on 1.2.3
From PFSenseDocs
This article is part of the HOWTO series.
|
Contents |
Summary
Starting with pfSense version 1.2.3, you can filter OpenVPN traffic with a few extra considerations involved. These steps are not needed for 2.0, since it can handle the filtering OpenVPN natively.
Hardwire Your OpenVPN Interface (optional)
In pfSense 1.2.3, there is no guarantee that the OpenVPN instance will always be tun0 or tap0 due to various behind-the-scenes processes. It may always line up how you want, but there are no guarantees.
In the custom configuration for each tunnel, specify an exact openvpn interface to use, such as tun9 or tap7.
Save the settings for each tunnel, and confirm that the proper interface names are being used.
Add Firewall Rules for VPN Peers
You must add firewall rules to your WAN address to allow traffic from your VPN peers. Normally, rules are in place automatically to allow this traffic, but those must be disabled as part of this process.
This may mean adding rules for allowing traffic in from any address to port 1194 for OpenVPN users, or allowing udp/500 and GRE/* for IPsec, this will vary depending on your installation and configuration.
Disable Automatic Rules
The automatic VPN rules must be disabled because that process also adds an 'allow all' rule to all OpenVPN interfaces, which is counter to our goal for this process.
- Go to System > Advanced
- Check "Disable all auto-added VPN rules"
- Save
Assign OpenVPN interface as OPT
- Interfaces > (assign)
- Click +
- Choose the tun or tap interface you picked earlier
- Click Save
Configure OPT interface
- Interfaces > OPTx (your newly created OpenVPN interface)
- Check enable
- Fill in a name, or leave it as OPTx
- Set for Static IP
- Enter 'none' for an IP address
- Save
Add Firewall Rules
- Firewall > Rules
- Click the OPTx tab or the name that coincides with the OpenVPN interface(s) you created.
- Add rules
- Save, Apply
Categories: Howto | OpenVPN | VPN
