Split tunneling with OpenVPN
-
Hi,
I'm in a country where certain sites are blocked. To by-pass this I use OpenVPN with a VPN service provider and that works well. However, it's either all traffic or no traffic via the VPN. This is not ideal as for local sites (and video streaming) I would like to go out directly (via WAN) and not via the VPN (OPT1). I think the problem is my VPN provider pushes default-gateway def1;
The OpenVPN is created according to the standard (created interface OPT1->ovpnc1 + outbound policies)
I tried to overwrite this with route with the following:
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
(source: https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway)For the sites to unblock I created aliases for their networks (based on the ip spaces they published)
Change the firewall rules for Lan Net (default) to gateway WAN and created a rule for the alias with gateway OPT1, no effect. I tried with static routes, no effect. Of course when I look at the routes, I see 0.0.0.0/1 to OPT1
Tried the route-nopull, route-noexe; but it does not seem to matter.
Connection Log:
openvpn[74218]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS IP_DNS,route IP_ROUTE,topology net30,ping 10,ping-restart 60,ifconfig IP_OPT1 IP_VPN_GATEWAY'Route after connecting to VPN:
IPv4
Destination Gateway Flags Use Mtu Netif Expire
0.0.0.0/1 IP_VPN_GATEWAY UGS 0 1500 ovpnc1
default IP_WAN UGS 483 1492 pppoe0Another thing I noticed (but maybe it's normal), the VPN gateway status is either pending or disconnected, yet it works.
Ideas and suggestions are welcome!
-
https://www.infotechwerx.com/blog/Policy-Routing-Certain-Traffic-Through-OpenVPN-Client-Connection
-
Not really what I am looking for. This is per source routing, I want per destination.
But regardless, also the per host does not work, somehow that default-gateway def1; seems to overwrite about anything. As it's the first route, it hits everything and the other routers are no longer processed.
-
So policy route on destination address instead of source address.
If your provider sends you a default route you have to check don't pull routes.
This stuff works. Really.
-
Yeah you need check not to pull routes in the openvpn client config in pfsense - see attached.
You can then setup all kinds of rules to route traffic out that way, you can do it based up source IP so that specific clients go out the vpn for that gateway. Or yeah you can create rules so when going to specific networks you go out the vpn, etc.
Where most guides you see will prob use examples of routing specific clients out your network, doesn't have to be done that way.. You could even do it based on protocol vs dest IP/Network.. And rule you could think could be used to send it out the vpn gateway.
If you have an example network you want to go out the vpn, or network you want to go out the normal vs using the vpn post it up and I will post up an example of rules on how to do that. I leave a client vpn connection up all the time for testing and playing with. I normally don't route anything through it, but be happy to give you an example that is right in line with what your wanting to do.
-
I tried with the nopull, but then I manually have to create a route for the VPN. But this IP is not fixed, so on a reconnect I would have to update the route again. Unless there is something else I am missing here…. Anyway, all this got me thinking in a different direction which seems to do the trick:
Proto Source Port Destination Port Gateway Queue Schedule Description
IPv4 TCP/UDP Hosts * Site1 * VPNV4 none
IPv4 TCP/UDP Hosts * Site2 * VPNV4 none
IPv4 TCP/UDP Hosts * Site3 * VPNV4 none
IPv4 TCP/UDP Hosts * Misc * VPNV4 none
IPv4 ICMP Hosts * * * WAN_PPPOE none
IPv4 TCP/UDP Hosts * * * WAN_PPPOE none
IPv4 * LAN net * * * * none Default allow LAN to any ruleHosts contain all hosts (except for the gateway IP address itself, basically LAN Net without LAN Address)
From the initial tests this seem to work.
