Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing traffic through OpenVPN Client for Specific IPs

    OpenVPN
    3
    9
    338
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      codechurn
      last edited by codechurn

      I have the following Gateway configuration:
      e4a0c6ec-3ad2-4991-8c1a-de083a363ed5-image.png

      The EXPRESSVPN_VPNV4 gateway is an OpenVPN Client established connection.
      143417bd-1b85-4d20-bc26-2684f61457ae-image.png

      My LAN is assigned 192.168.0.0/24.
      I handle DHCP for the LAN outside of pfSense.

      I created the following Outbound NAT Rule
      4a2cab3e-aa6a-436b-a1e9-6eea24e7b948-image.png

      And an associated a LAN firewall rule which routes traffic for the ROUTE_VIA_EXPRESSVPN interface via the ExpressVPN gateway.
      28fa6b74-9924-4bee-a33f-d0fbb1b75340-image.png

      It appears that when the OpenVPN client is connected, I am routing traffic via the interface for IPs in the ROUTE_VIA_EXPRESSVPN alias; those clients are reporting a public IP other than the one assigned via my Internat Gateway.

      Does this setup look correct?

      I feel I am missing a rule; if I take the ExpressVPN client down, traffic for the ROUTE_VIA_EXPRESSVPN alias is sent via the Internet Gateway. I want to prevent this from happening and just drop the traffic. How do I do this?

      I appreciate any/all feedback on this config. I pieced this config together reading posts in here that were very helpful. Perhaps my question can help seomeone elsei n the future.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @codechurn
        last edited by

        @codechurn said in Routing traffic through OpenVPN Client for Specific IPs:

        It appears that when the OpenVPN client is connected, I am routing traffic via the interface for IPs in the ROUTE_VIA_EXPRESSVPN alias; those clients are reporting a public IP other than the one assigned via my Internat Gateway.

        Does this setup look correct?

        This depends on if the devices in the alias also need to access other devices within your network.
        You recent rule set forces any traffic from these, which is hitting the LAN interface, to the VPN gateway. Hence they cannot access pfSense itself and other local networks.

        E.g. they would not be able to access the DNS Resolver on pfSense. But this will be no problem if they use a public DNS.

        I feel I am missing a rule; if I take the ExpressVPN client down, traffic for the ROUTE_VIA_EXPRESSVPN alias is sent via the Internet Gateway. I want to prevent this from happening and just drop the traffic. How do I do this?

        Policy routing rules are omitted if the respective gateway is down by default.
        To change this behavior you can check System > Advanced > Miscellaneous > Skip rules when gateway is down (Do not create rules when gateway is down).

        C 2 Replies Last reply Reply Quote 0
        • C
          codechurn @viragomann
          last edited by

          @viragomann

          Here are some additional details I should have included in my original post:

          • DNS is handled by servers on my LAN which forward requests to LAN IP of pfSense. My LAN DNS servers would NEVER be included in the ROUTE_VIA_EXPRESSVPN alias.
          • pfSense uses public DNS servers.

          I do need servers in the ROUTE_VIA_EXPRESSVPN alias to still have access to the LAN when the EXPRESSVPN_VPNV4 is down.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @codechurn
            last edited by

            @codechurn
            Traffic between ROUTE_VIA_EXPRESSVPN and other LAN devices does not have to pass pfSense. So this should flow independently of your LAN rule set.

            1 Reply Last reply Reply Quote 0
            • C
              codechurn @viragomann
              last edited by

              @viragomann said in Routing traffic through OpenVPN Client for Specific IPs:

              @codechurn said in Routing traffic through OpenVPN Client for Specific IPs:

              I feel I am missing a rule; if I take the ExpressVPN client down, traffic for the ROUTE_VIA_EXPRESSVPN alias is sent via the Internet Gateway. I want to prevent this from happening and just drop the traffic. How do I do this?

              Policy routing rules are omitted if the respective gateway is down by default.
              To change this behavior you can check System > Advanced > Miscellaneous > Skip rules when gateway is down (Do not create rules when gateway is down).

              If I am reading this correctly, checking this option will not create the rule instead of just ignoring the gateway specified.

              What I want to happen is that members of the ROUTE_VIA_EXPRESSVPN alias have no Internet access whne the EXPRESSVPN_VPNV4 gateway is down. Right now, it seems like that traffic is somehow making it over to the other (default) gateway and out to the internet. I want to prevent that from happening for members of the ROUTE_VIA_EXPRESSVPN alias.

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @codechurn
                last edited by

                @codechurn
                Yes, that's correct. You have to add a reject or block rule for the respective alias underneath the policy routing rule to achieve what you want.

                C 1 Reply Last reply Reply Quote 1
                • C
                  codechurn @viragomann
                  last edited by

                  @viragomann said in Routing traffic through OpenVPN Client for Specific IPs:

                  @codechurn
                  Yes, that's correct. You have to add a reject or block rule for the respective alias underneath the policy routing rule to achieve what you want.

                  Thank you for your help. I have added the following block rule and things seem to be working as expected. I hope that this post helps someone else looking to accomplish this.

                  8bf5aca6-72fb-4c6c-a9fc-c1d437874ca9-image.png

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    MoonKnight @codechurn
                    last edited by

                    @codechurn

                    I have the same, but i use "any" in destination on the block rule.
                    907960fe-8747-4665-8990-c5cf5479c1b0-image.png

                    --- 24.11 ---
                    Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz
                    Kingston DDR4 2666MHz 16GB ECC
                    2 x HyperX Fury SSD 120GB (ZFS-mirror)
                    2 x Intel i210 (ports)
                    4 x Intel i350 (ports)

                    C 1 Reply Last reply Reply Quote 1
                    • C
                      codechurn @MoonKnight
                      last edited by

                      @MoonKnight
                      Thanks for the feedback. I have since gotten rid of the destination rule inversion on the IPGROUP_ROUTE_VIA_EXPRESSVPN and set it to Any. This gives me better protection to make sure absolutely nothing goes out that is in that group if it does not go out the ExpressVPN gateway.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.