Limit IPSec or OpenVPN access with GeoIP location issue


OpenVPN & IPSec works for Roadwarrior (RW) access (ipfire v173), however I want to limit acces only to two countries:

I setup two rules to allow OpenVPN & IPSec access via “Location Groups” for my country. To be sure that the rule works, selecting “DROP” in the rule it doesn’t block the access…

My rule:

  • Source → Location: “GeoIP IPSec access” (defined in Location Group)
  • No NAT
  • Destination → Standard networks: IPSec RW (
  • Protocol: All (but tried also with “Services”: “IKEv2 ESP IP Protocols”)
  • DROP (for testing)

However in DROP mode I can login from my iPhone (in 4G mode) to the IPSec network even when my country is selected in the Location drop down menu.

Any help is greatly appreciated.

I think you need to invert source and destination.

Hmm no it doesn’t work when inverting source and destination…
Strange since all the other restrictions for email, ssh (GeoIP location) works…

the source must be the local network. You want to prevent your RW users to connect TO some Geo-localized IP range. The way you did it you were preventing a connection FROM those geo-localized regions to connect TO the IP addresses of your RW users.

EDIT: keep in mind that if you are using Squid (proxy), blocking at the firewall level will not prevent your users to connect to anywhere squid connects. To control squid access, there are the ACL lists.

If you want to prevent squid to access a specific set of countries, in the source you need to put “firewall”

Sorry but still doesn’t block…
I tried again to DROP connection with:

  • Source: “GREEN” and Destination: “GeoIP IPSec access” → still access to IPSec VPN
  • Source: “IPSec RW” and Destination: “GeoIP IPSec access” → still access to IPSec VPN

As I wrote in the edit section, proxy?

No proxy at all…

Just to make sure I understand. You want to have a tunnel to your IPFire from your road warrior connections, and you want that these tunnels will not be able to connect to any IP not belonging to the two countries you care, regardless of the protocol (mail, web etc.).

Did I understand correctly your problem?

He would only allow incoming RW connections from countries X and Y.

You can use the global location filter to block all incoming connection.

Yes right, only access from 2 countries.
But when enabling “Global Location Filter” to block all incoming connections then our Web-Server will not be accessible to other countries, right ?

Well yes, give only 2 countries login-acces to IPSec and OpenVPN tunnel.
The problem is when blocking all other countries in “Location Block” they will never access our Web-Server…
Maybe I’m paranoid but does it make sense to do a GeoIP-access to IPSec or OpenVPN ? Or are there any security risks when it’s open for everyone ?


Ok you need a solution over firewall rules. Try a rule like this source “geo-location x” → destination: red for port 500 and 4500

Ah, I misunderstood then. You want to prevent access to your IPFire IPSec server for road warrior connections, FROM any country but those two?

this I believe is the correct answer.

Unfortunately blocking doesn’t work either with “DROP”

  • Source: “GeoIP” → Destination: Standard Networks: “Red” | Service groups: (port 500 and 4500)
  • Source: “GeoIP” → Destination: Firewall: “Red” | Service groups: (port 500 and 4500)

Do you have a router before with NAT?

No router, direct connection to our ISP (fiber) and RED with static IP-address.

@pmueller @bonnietwin can you help?

Theres’ a similar post here but needs a script…

I am not so expert on the firewall rules but here is my 2 pence worth.

Normally any new traffic coming in without a forward rule will be blocked.
To make the OpenVPN/IPSec setup easier then when these services are enabled an automatic firewall rule allowing entry is setup early in the firewall chain.

Looking at the flow chart at the end of this wiki page
it seems that the OpenVPN and IPSec rules for forwarding cannot be overridden in the WUI firewall rules table as they occur earlier although the GEOIPBLOCK seems to occur before the IPSec rules so at least for IPSec the GEOIPBLOCK by country should have worked.
This diagram is a complete image and has not been updated so is missing some new additions. It might therefore not be 100% accurate.

Anyway, if my above thoughts are correct (and that is not guaranteed) then the best bet is to create iptables rules in one of the CUSTOM chains and put that into firewall.local which gets implemented very early in the whole chain.