How to route a local subnet (VLAN) through a OpenVPN client on pfsense?
-
Hi!
First out I must thank the people behind this project and its community. It really rocks and everything except this topic has been setup within only a couple of minutes - awesome!! :)
At home I’ve got a couple of VLANs that each has their own purpose and to make it easy each VLAN have their own subnet (see attached image). Everything is working just fine TRUNK-port connected to one of the NICs in my PFSENSE-box (DHCP-servers on each VLAN interface etc.).
I recently bought a VPN prescription (Anonine) and by following the guides available on the forum on how to setup a OpenVPN-client I’ve successfully created a OpenVPN-client and by looking at the logs it is also established.
Now to my question:
What is the proper way of routing a subnet (VLAN2 in attached image) to have all its traffic going through the OpenVPN-client? In short: I want Internet-access from VLAN2 to be anonymous, and preferably transparent to the clients in that subnet.Thanks in advance and I wish you all merry christmas!
-
i figure the easiest way would be to assign an interface to the openvpn connection, then create a gateway for it (if it isnt automagically created).
then you can use policy routing to send your traffic through that gateway. You could even create a failover group in case the vpn link is offline.to use policy routing edit the default any-to-any firewall rule and pick a gateway in the advanced section.
-
Interesting concept. Can you think of any corner-cases that might lead to information disclosure with such a setup ? (e.g. DNS traffic going to the system's DNS servers, instead of going via the VPN tunnel)
-
i don't know, i'm not a guru like some others here.
i figured that to be the most practical+easiest solution.
There might be other methods to accomplish the same, with some advanced settings in the openvpn tab (but that would require reading manpages in my case) -
i figure the easiest way would be to assign an interface to the openvpn connection, then create a gateway for it (if it isnt automagically created).
then you can use policy routing to send your traffic through that gateway. You could even create a failover group in case the vpn link is offline.to use policy routing edit the default any-to-any firewall rule and pick a gateway in the advanced section.
Great input! I'll try this during my vacation and I'll report back on the possible success story. :-)
-
That works fine but you'll want to note a couple things:
- Assign interface - but make sure the IP type is 'none'
- Gateway should automatically be created for you, don't add one manually
- You will probably need to switch to manual outbound NAT, and then add a NAT rule on the OpenVPN interface to translate the traffic from the source VLAN to the interface address.
- As dhatz mentioned, if you want to really ensure anonymity make sure that clients in that VLAN get DNS servers assigned such that their DNS traffic also goes over the VPN.
I'm not familiar with your VPN provider, but you might look this article over and see if you can get definitive responses from them on the specific questions they asked:
http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/The web site claims they don't log web activity, but if they do log your VPN connection sessions then that claim isn't really helpful.
-
I'm looking to do this same thing. I want all traffic in the new VLAN to go over the OpenVPN connection. Jimp: You mentioned setting DNS servers so they go over the VPN. How would you do that? Setup a rule that any connection to a certain DNS IP address uses the OpenVPN gateway?
What if I also wanted any queries to certain websites to go over the OpenVPN connection, regardless of VLAN membership? Thanks!
EDIT: What if I also wanted to set pfSense as an OpenVPN server for a separate connection? Would this pose serious issues?
