Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN default gateway only for certain destination IP's

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 267 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Snailkhan
      last edited by

      Hi
      I have deoployed openvpn so all users connect to our openvpn server to have access to some resources that are online avaiblae like AWS . In vpn server settings i have enabled the pfsense vpn as default gateway (i.e. no split tunneling) so all traffic is routed via our pfsense. Now i want only the clients traffic to some destinations live ips say of AWS to be routed by client to vpn server gateway and remaining via their local IP.

      Please can someone guide me for below two use cases.

      1: only route traffic from vpn clinets to few handful of known public ips via pfsense wan.
      2: allow all vpn clients to route all traffic to aws/azure via our pfsense and all remaning via local isp assigned gateway.

      Regards.

      1 Reply Last reply Reply Quote 0
      • E
        eXo
        last edited by

        @Snailkhan said in OpenVPN default gateway only for certain destination IP's:

        S
        Snailkhan
        about 23 hours ago

        Hi
        I have deoployed openvpn so all users connect to our openvpn server to have access to some resources that are online avaiblae like AWS . In vpn server settings i have enabled the pfsense vpn as default gateway (i.e. no split tunneling) so all traffic is routed via our pfsense. Now i want only the clients traffic to some destinations live ips say of AWS to be routed by client to vpn server gateway and remaining via their local IP.

        Please can someone guide me for below two use cases.

        1: only route traffic from vpn clinets to few handful of known public ips via pfsense wan.
        2: allow all vpn clients to route all traffic to aws/azure via our pfsense and all remaning via local isp assigned gateway.

        Regards.

        To achieve your goal, you need to configure policy-based routing and split tunneling in OpenVPN and PfSense. Here's how you can handle both use cases.

        1. Route Only Specific Traffic to VPN (PfSense WAN)

        You need to implement policy-based routing on the OpenVPN server side (PfSense) and configure OpenVPN client settings to only route traffic to specific AWS public IPs via the VPN tunnel, while other traffic goes directly to the client’s local ISP.

        Steps:

        1. On PfSense (VPN Server)

          • Go to Firewall > Rules > OpenVPN.
          • Add a new rule to allow traffic from the VPN clients to specific AWS IPs.
          • In the Destination field, specify the public IP addresses of your AWS resources.
          • Under Gateway, select the VPN Gateway (PfSense WAN).
          • Save and apply the rules.

        2. On OpenVPN Client Configuration

          • Edit the client configuration .ovpn file or server-side configuration push:

            Add a route for each specific AWS IP you want to go through the VPN:

            route <AWS-IP-1> 255.255.255.255
route <AWS-IP-2> 255.255.255.255

          • This ensures that only traffic destined for those IPs goes through the VPN tunnel, while all other traffic will use the client’s local ISP gateway.

        2. Route All AWS/Azure Traffic via VPN and Rest via Local ISP

        For this, you want to route all AWS or Azure traffic through the VPN and let the rest of the traffic use the client’s local ISP. This is a form of selective split tunneling.

        Steps:

        1. On PfSense (VPN Server)

          • As with the first use case, go to Firewall > Rules > OpenVPN.
          • Create firewall rules to route all AWS/Azure traffic through the VPN Gateway (PfSense WAN).
          • Use the Destination field to match traffic by AWS or Azure subnets.
          • Under Gateway, select VPN Gateway (PfSense WAN).
          • Save and apply the changes.

        2. On OpenVPN Client Configuration

          • Push the appropriate routes for AWS or Azure in the client’s OpenVPN configuration:

            For AWS:

            route 13.0.0.0 255.0.0.0  # Adjust to the correct AWS IP ranges
route 52.0.0.0 255.0.0.0

            For Azure:

            route 20.0.0.0 255.0.0.0  # Adjust to the correct Azure IP ranges

          • This will route all traffic destined for AWS/Azure through the VPN, while other traffic will continue via the local gateway.

        Optional - Use client-config-dir in OpenVPN Server

        You can also create per-client specific routes using OpenVPN’s client-config-dir to control routing at the user level.

        • In the OpenVPN server configuration, specify:
          client-config-dir /etc/openvpn/ccd
        • In the /etc/openvpn/ccd/<client-name> file, define the routes for AWS/Azure.
        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.