OpenVPN client for only one physical pfSense port
-
Hello,
on current versions of pfSense (I have both CE and supported builds), I've previously set up VPN clients, to tunnel all traffic from LAN/OPT ports to WAN. That works fine.
However, I'm now looking for a way to only tunnel traffic from one physical port, rather than all. In other words, have traffic from OPT1 tunneled to a defined VPN client (on the WAN), but have traffic from OPT2 traverse to the WAN port in the clear, as usual. I see I can specify which port initiates the connection, but that would always need to be "WAN," since the VPN endpoint is on the WAN side. Is there another way? Can I perhaps create a virtual interface for the VPN, and then route all traffic from OPT1 to the interface, rather than WAN? Or is there another method?
Thank you!
-
I tend to says Policy Routing Configuration but this part :
@CyberMinion said in OpenVPN client for only one physical pfSense port:
but have traffic from OPT2 traverse to the WAN port in the clear, as usual. I see I can specify which port initiates the connection ....
makes me wonder.
You want to make a tunnel from (example) a OPT2 NIC to the WAN NIC ?
That's new to me. I never saw a tunnel 'in' a device.
A VPN client will listen on its own interface.
Traffic from OPT2 is routed to this interface.
From there on, its encrypted, routed out of the real WAN, to the VPN server. -
I tend to says Policy Routing Configuration
Could a policy bypass be used for OPT2 (in this scenario), causing its traffic to skip going through the VPN client?
You want to make a tunnel from (example) a OPT2 NIC to the WAN NIC
Essentially, yes. I want traffic from OPT1 to be tunneled out to the VPN endpoint (OPT1>WAN (tunneled)>VPN endpoint>public). But I want traffic from OPT2 to be sent out over the default route. (OPT2>WAN>public)
-
@CyberMinion said in OpenVPN client for only one physical pfSense port:
Essentially, yes.
So no.
The WAN is the NIC on which traffic leaves your pfSense system. The same traffic with pass through many other interfaces (ISP device and above) before it arrives at the IP (or host name) you've set up : the VPN endpoint.@CyberMinion said in OpenVPN client for only one physical pfSense port:
I want traffic from OPT1 to be tunneled out to the VPN endpoint (OPT1>WAN (tunneled)>VPN endpoint>public)
See here for an example. Goto step 3 : 3. Route WAN through the VPN tunnel
That's what you want, right ?
-
@Gertjan said in OpenVPN client for only one physical pfSense port:
@CyberMinion said in OpenVPN client for only one physical pfSense port:
I want traffic from OPT1 to be tunneled out to the VPN endpoint (OPT1>WAN (tunneled)>VPN endpoint>public)
See here for an example. Goto step 3 : 3. Route WAN through the VPN tunnel
That's what you want, right ?
Very slow reply...my apologies. So I tried doing it that way, mapping only some physical interfaces to the VPN. However, all other interfaces lose outbound connectivity if I just leave them alone. Only the interfaces I set to forward to the VPN, have connectivity. Is there some way to get the others, which I did not change to the OpenVPN link, to still work for direct outbound connections?
Thank you!
-
For any future readers, I think I found the problem. In NAT configuration, clone every relevant rule, and set the selected interface for each, to the VPN interface. Then create a firewall alias for the internal subnet you are trying to redirect. Next, create an "Allow" firewall rule to push all traffic through that VPN gateway (or edit an existing one).
If you have a local DNS server, remember to create the necessary rules to maintain access to it. Note that this would cause a DNS leak if you don't redirect your DNS server's lookups through the same VPN. Alternatively, set a DNS server on the other end of the VPN tunnel for these clients.
-
Thanks to your post I figured out how to get VPN working for specific IP's in PF.
Question about the behavior of your setup.... If you your VPN client disconnects / goes down, do the subnets redirected to VPN fail over to the WAN? Mine do and id like to have the connection break when VPN is down instead.
-
There's an annoying gateway failover built in. You'll need to disable it: https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#enforcing-gateway-use
Then make sure to have an allow rule to the gateway you want, followed by a block rule for the "default" gateway. That way, when the selected (VPN) gateway goes down, the traffic will be blocked.
-
@CyberMinion
Worked like a charm. I had tried creating the deny rule but didnt know about the 'Do not create rules when gateway is down' setting.Thank you!
