Using Virtual IPs with OpenVPN as WAN?

awair

Multiple clients connect via WiFi to either of the two WAP - IP & gateway are assigned by pfsense (via static DHCP reservations).

Some clients are assigned the VPN gw, the default is no VPN.

This configuration is 100% working, and meets my needs (but is overcomplicated).

![Screenshot - MBA11 2017-03-31 at 01.43.02.jpg](/public/imported_attachments/1/Screenshot - MBA11 2017-03-31 at 01.43.02.jpg)
![Screenshot - MBA11 2017-03-31 at 01.43.02.jpg_thumb](/public/imported_attachments/1/Screenshot - MBA11 2017-03-31 at 01.43.02.jpg_thumb)

awair

Thanks Hugovsky,

That's what I'm trying to achieve, but it's not a static case.

Most of the clients (Amazon Echo, AppleTV etc) are fine with a fixed gateway.

The two laptops I use, I need to be able to switch between VPN 1, VPN 2 & none.

So on top of transferring the VPN/routing to the pfsense device (which is complete & tested), I need an option that recognises that IP 192.168.31.100 doesn't automatically get assigned the OpenVPN gateway, but specifies whether to use WAN, OpenVPN client 1 or 2.

I think this may be possible by using Virtual IPs & Aliases, e.g.:

The client requests gateway 192.168.31.2 - which is an alias for OpenVPN client 1

Derelict

Hmm. I don't know of a way to identify what GW address traffic arrived on. I don't know if that is going to be possible. That address is not involved in routing decisions at all as it is neither the source address nor the destination address. All the router interface will see is:

Source IP address / Source MAC address (Client MAC)
Destination IP address / Destination MAC address (Router interface MAC)

They will be identical regardless of what gateway address the traffic is forwarded to.

Seems like a Mac network location could just as easily set a separate static client IP address and leave the gateway the same. That would be easy to policy route.

Hugovsky

You can try using the "locations" in MAC OS if that allows you to use different configs with different IPs. Say you have a "location" called VPN1: mac IP 192.168.1.2 -> in pfSense you have a rule that says "with this IP, use gateway VPN1".

"location" called VPN2: mac IP 192.168.1.2 -> in pfSense you have a rule that says "with this IP, use gateway VPN2".

I think you get the point.

awair

Thanks Derelict,

That's as far as I got as well. I'll have to consider how much trouble that will cause by changing IP address.

Hugovsky

@Derelict

Exactly.

Derelict

The Mac's networking stack is pretty flexible. There might be a way to have a fourth address that never changes that is not used as a source address for outgoing connections but can always be available to accept incoming connections. Not sure how, just throwing it out there. I don't see a way to add an "IP Alias" to an interface but I created another interface on the same vlan and gave it a separate address and ended up with this:

vlan2: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
options=3 <rxcsum,txcsum>ether 3c:07:54:0c:23:16
inet6 fe80::403:dcd:81c:6e04%vlan2 prefixlen 64 secured scopeid 0xc
inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
inet 192.168.1.101 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=201 <performnud,dad>vlan: 1200 parent interface: en0
media: autoselect (1000baseT <full-duplex>)
status: active</full-duplex></performnud,dad></rxcsum,txcsum></up,broadcast,running,simplex,multicast>

awair

Thanks again Derelict,

This is mostly way above my level, but it has given me different options to consider.

I have assigned a couple of Virtual IP addresses to pfsense, and would have thought that there might be a way to use these or assign them to an interface, unfortunately just not the OpenVPN interfaces!

awair

Thanks again Derelict,

While a Virtual IP on the Mac does not entirely fix what (I think) I'm looking for, it's close enough.

I used this link:
http://stackoverflow.com/questions/87442/virtual-network-interface-in-mac-os-x

and added another IP address to the Mac, which is confirmed reachable by ping:

sudo ifconfig en0 alias 192.168.31.19

to remove the alias:

sudo ifconfig en0 -alias 192.168.31.19

Once I have changed everything around, the Mac will be reachable by a fixed IP alias, and the 'real' IP will change according to the 'Location' set, so as to select the appropriate VPN tunnel on demand.

The 'missing' functionality (that I'm aware of) is being able to identify 'all' traffic to/from this device in a single line entry. But having traffic grouped by route used could be seen as an advantage!

Derelict

You route traffic (connections, actually) from the device using a rule on "LAN" for all traffic from that source address.

There is really no way to identify traffic to that device. It will arrive on the WAN (including OpenVPN) interface it arrives on.

Reply traffic to connections made from that device will work fine.

awair

Thanks again, I understood that…

... I was referring to the various connections that have already been created (e.g. VNC on the iPad) referring to the original IP. With an alias replacing the current IP (.100), everything inbound (either LAN or Remote Access OpenVPN Server) will still find the target.

Outbound, the new 'real' IPs, .101, .102 etc will determine which OpenVPN Client connection to use, based on Firewall rules.

awair

…Now to come up with a revised numbering scheme for 100+ domestic devices!