@Saymon-Poklad

Is this fixed or still pending ?

@Snailkhan said in OpenVPN default gateway only for certain destination IP's:

S
Snailkhan
about 23 hours ago

Hi
I have deoployed openvpn so all users connect to our openvpn server to have access to some resources that are online avaiblae like AWS . In vpn server settings i have enabled the pfsense vpn as default gateway (i.e. no split tunneling) so all traffic is routed via our pfsense. Now i want only the clients traffic to some destinations live ips say of AWS to be routed by client to vpn server gateway and remaining via their local IP.

Please can someone guide me for below two use cases.

1: only route traffic from vpn clinets to few handful of known public ips via pfsense wan.
2: allow all vpn clients to route all traffic to aws/azure via our pfsense and all remaning via local isp assigned gateway.

Regards.

To achieve your goal, you need to configure policy-based routing and split tunneling in OpenVPN and PfSense. Here's how you can handle both use cases.

1. Route Only Specific Traffic to VPN (PfSense WAN)

You need to implement policy-based routing on the OpenVPN server side (PfSense) and configure OpenVPN client settings to only route traffic to specific AWS public IPs via the VPN tunnel, while other traffic goes directly to the client’s local ISP.

Steps:

On PfSense (VPN Server)

Go to Firewall > Rules > OpenVPN. Add a new rule to allow traffic from the VPN clients to specific AWS IPs. In the Destination field, specify the public IP addresses of your AWS resources. Under Gateway, select the VPN Gateway (PfSense WAN). Save and apply the rules.

On OpenVPN Client Configuration

Edit the client configuration .ovpn file or server-side configuration push:

Add a route for each specific AWS IP you want to go through the VPN:

route <AWS-IP-1> 255.255.255.255 route <AWS-IP-2> 255.255.255.255

This ensures that only traffic destined for those IPs goes through the VPN tunnel, while all other traffic will use the client’s local ISP gateway.

2. Route All AWS/Azure Traffic via VPN and Rest via Local ISP

For this, you want to route all AWS or Azure traffic through the VPN and let the rest of the traffic use the client’s local ISP. This is a form of selective split tunneling.

Steps:

On PfSense (VPN Server)

As with the first use case, go to Firewall > Rules > OpenVPN. Create firewall rules to route all AWS/Azure traffic through the VPN Gateway (PfSense WAN). Use the Destination field to match traffic by AWS or Azure subnets. Under Gateway, select VPN Gateway (PfSense WAN). Save and apply the changes.

On OpenVPN Client Configuration

Push the appropriate routes for AWS or Azure in the client’s OpenVPN configuration:

For AWS:

route 13.0.0.0 255.0.0.0 # Adjust to the correct AWS IP ranges route 52.0.0.0 255.0.0.0

For Azure:

route 20.0.0.0 255.0.0.0 # Adjust to the correct Azure IP ranges

This will route all traffic destined for AWS/Azure through the VPN, while other traffic will continue via the local gateway.

Optional - Use client-config-dir in OpenVPN Server

You can also create per-client specific routes using OpenVPN’s client-config-dir to control routing at the user level.

In the OpenVPN server configuration, specify:client-config-dir /etc/openvpn/ccd In the /etc/openvpn/ccd/<client-name> file, define the routes for AWS/Azure.

@sameerakwc I fixed my issue. I had radcheck setup but not radreply. Once I added the user to both tables, it worked.

@AddleDIT
I'm talking about natting the traffic. I don't expect this to have any impact noticeable on the impact on the performance. Rather bridging does.

Alias using a range of IP is accepted by the GUI, but doesn't seem to work as OpenVPN local IP's in Client specific.

Solved
Setup from scratch, now it is working, I have probably done something wrong with the certificate. Thanks all for help

Here is working script i do run on a pc
to make it work you need to already imported into directory files like .cert .ovpn .tls for this certain profile configuration.

What script does;
Request cert from windows domain CA, export it as a pcsk12 with private key and then import it and config into OpenVPN application. By that design no any action on user side is needed. Just smoothly click on openvpn, click connect and provide password

# Function to generate a random password function Generate-RandomPassword { $length = 16 # Set the desired password length $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' -join ((Get-Random -Count $length -InputObject $chars.ToCharArray())) } # Generate a random password $pfxPasswordString = Generate-RandomPassword $pfxPassword = ConvertTo-SecureString -String $pfxPasswordString -AsPlainText -Force $username_only = $env:Username $cert = Get-ChildItem -Path cert:\CurrentUser\My | Where-Object { $_.Subject -like "CN=$username_only" } if ($cert) { Write-Host "Certificate already exists for user: $username_only" } else { Get-Certificate -Template "Template_Name" -CertStoreLocation cert:\CurrentUser\My -SubjectName "CN=$username_only" $cert = Get-ChildItem -Path cert:\CurrentUser\My | Where-Object { $_.Subject -like "CN=$username_only" } if ($null -eq $cert) { Write-Host "Certificate not found for user: $username_only" exit } } Export-PfxCertificate -Cert $cert -FilePath $env:USERPROFILE\OpenVPN_Configuration\Profile_Name\$username_only.pfx -Password $pfxPassword cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --accept-gdpr cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --skip-startup-dialogs cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --list-certificates cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --import-certificate=%userprofile%\OpenVPN_Configuration\Profile_Name\%USERNAME%.pfx --password=$pfxPasswordString cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --list-certificates $certId = (cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --list-certificates | Select-String -Pattern '"cert-id":\s*"([^"]+)"' | ForEach-Object { if ($_ -match '"cert-id":\s*"([^"]+)"') { $matches[1] } }) cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --import-profile=C:\Users\%USERNAME%\OpenVPN_Configuration\Profile_Name\profile_name.ovpn --name=%USERNAME% --username=%USERNAME% --certificate=$certId cmd.exe /c 'del %userprofile%\OpenVPN_Configuration\%username%.pfx'

@evang yeah and you have 2 nat routers so you would have to port forward twice if you have something behind pfsense

@viragomann Thanks. It's fixed.

So basically switching /24 to /30 solved the issue.

Thank you again!

@mark-musil

is this what you are looking for ?

Screen Shot 2024-10-02 at 12.03.46 PM.png

Thanks for the advise
I will double check and redo the config

@slu I will give that ago.

Regards

@Tom777

As a test, disable gateway monitoring.

2ef89efc-c44e-41f8-9a5d-11c50119273f-image.png

@Bambos said in Upgrade existing Site to Site Open VPN Tunnels Shared Key to TLS:

Sep 25 18:54:08 openvpn 4548 plant30/publicIP:44210 MULTI: Learn: 192.168.30.0/24 -> plant30/publicIP:44210

BTW: this is the line showing, that the route was set inside OpenVPN.