Pfsense firewall rule to allow openvpn clients access to a single server on the LAN?

Hey y’all,

I know this has gotta be pretty simple, but my firewall-fu is poor.

I’m just trying to give my phone access to a single server on my LAN when away. I have OpenVPN set up and can connect to my home network while away, but I’ve set it up on a different subnet. I want to allow access to one machine on the LAN.

Specifically, 10.0.0.36 should be visible to VPN connections (10.0.2.0).

Any help would be GREATLY appreciated!

First, I’m making no claims this is the best way to do it, but it is the way I do it.

So, assuming I understand what you are asking, You want to set up a VPN server that can ONLY access one IP address on your home network and no other network access?

If this is the case, go into your firewall rules and select your VPN VLAN tab. Disable the default rule that allows access to ‘Any’. Create a rule that that blocks access to ‘Any’:

  1. Action = Block
  2. Interface = “VPNVLAN” (whatever it’s called)
  3. Address Family = IPv4+IPv6
  4. Protocol = Any
  5. Source = “VPNVLAN”
  6. Destination = any
  7. Description = ‘Block access from “VPNVLAN” to any’

Right above this rule, you’ll then want another rule to allow access to the single IP address.

  1. Action = Pass
  2. Interface = “VPNVLAN” (whatever you named it)
  3. Address Family = IPv4
  4. Protocol = (whichever is needed, TCP/UDP usually works)
  5. Source = “VPNVLAN”
  6. Destination = Single host or alias - 10.0.0.36
  7. Destination Port Range = (You can set a specific port if you want to further restrict access to a specific port, Ex. “From (other) - Custom 8000, To (other) - Custom 8000”) Otherwise set from ‘any’ to ‘any’.
  8. Description = “Allow access to 10.0.0.36”

This should restrict VPN access to a specific IP address and even a single port of your choosing.

If you still want internet access trough your home internet while only being able to access a single server, instead of disabling the default rule ‘access to any’ and creating the rule denying accesses to any, you will need to make a rule to block access to any local VLANS you have and put it below the rule that allows specific access to your server. Pfsense always follows rules in order from top to bottom so the order is important.

1 Like