@sullrich:
@Helix26404:
There IS a way to directly configure OpenVPN firewall rules, but it's not widely known nor talked about. It's through the LAN interface.
Make a firewall rule on the LAN interface that is specific to this particular situation and put it on top. See if that helps.
Most likely because that only handles one side of the conversation. We do not talk about it because its not a real fix.
Unless you control both ends of the tunnel you will feel secure but the oppisite is true. Therefore we simply say there is no firewall rules possible on 1.0 across OpenVpn and IPSEC tunnels, but, we are working on this.
Gotcha. So this is why anyone in the remote network can access anything in the local network (pfSense-side if we're assuming it's the server) provided the routes are set up correctly on the client-side.
I was racking my brain trying to figure out why I could get traffic IN through the tun0 interface, but I couldn't get OUT unless I was using the pfSense box itself. At first I thought it was a route issue, but then realized that the firewall was locking it down. Setting up explicit rules permitting traffic from any source to destination OPVN interface and destination OPVN remote network did the trick.
Thanks for the elaboration from the "inside". :)