SOLVED: Routing SOME traffic / static IPs through OpenVPN (over PIA)
Click Firewall - NAT, then select the Outbound tab. Click the “Manual Outbound NAT rule generation” radio button and click Save.
Click Firewall – LAN, then edit the IPv4* and IPv6* Gateway to WAN_DHCP and WAN_DHCP6 respectively and click Save
These steps will not do any harm, but should not be needed.
a) Choosing Manual Outbound NAT and then not modifying/adding/removing any of the NAT rules means that it will in effect do exactly the same as Automatic would have done.
b) I presume this means "edit the default LAN to any rules and set the IPv4* and IPv6* Gateway to…" - those WAN GWs should already be the default route anyway. So the original rule should be already doing the required thing. -
I did something similar, but a little cleaner (see below), but I have an issue. I want to force the traffic from to go through the VPN, and if the VPN is not connected, then that IP should not have internet access.
My settings:
In VPN/OpenVPN/Client/Advanced configuration, I've added route-nopull, which defaults all traffic to the WAN vs the VPN
In Firewall/NAT/Outbound, I've got a rule for source for interface VPNI (attached to VPN client)
In Firewall/Rules/LAN, I've got a rule with source using gateway VPNI which forces that IP through the firewall
Underneath that rule, I have the standard allow rule for all traffic through (default gateway)
My problem is, if the VPN goes down (simulated by changing the host to a bad host), gets through the WAN interface. I want it to be blocked if the VPN is not running.
I've tried adding LAN rules to block, putting an if source not on the last LAN rule, etc. Nothing seems to work. It either ends up blocking traffic for every IP, or allowing the host through without the VPN.
Any thoughts?
Ben -
I think you need to check System: Advanced: Miscellaneous, "Skip rules when gateway is down":
By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down
pfSense is being nice to you, and making a rule to send your VPN traffic out the default gateway.
Then, IMHO, you will still need a block rule, after the rule feeding to VPNI, and before the general allow all rule, that blocks traffic from source -
I think you need to check System: Advanced: Miscellaneous, "Skip rules when gateway is down":
By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down
pfSense is being nice to you, and making a rule to send your VPN traffic out the default gateway.
Then, IMHO, you will still need a block rule, after the rule feeding to VPNI, and before the general allow all rule, that blocks traffic from source to upgrade to 2.1 from 2.0.3, but this worked like a charm. Thanks!
Thought I would share a bit of my experiences if it might help someone out. I created my own OpenVPN server on an Ubuntu 12.04LTS Server box. I put it in my parents house in the US as I currently reside in Canada but wanted US content. While I followed the examples above I still ran into a few issues which I had to overcome. The main one relevant to this post is that my Canadian DNSs didn't work over my US OpenVPN. So I just added both the Google DNSs. I also had to add the "route-nopull" to the advance portion of the OpenVPN Client interface. Additionally, and a little less relevant to this post, was I had the following errors come up in my OpenVPN when I was trying to connect:
Oct 12 19:57:45 openvpn[21699]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1528', remote='link-mtu 1544' Oct 12 19:57:45 openvpn[21699]: WARNING: 'cipher' is used inconsistently, local='cipher [null-cipher]', remote='cipher BF-CBC' Oct 12 19:57:45 openvpn[21699]: WARNING: 'keysize' is used inconsistently, local='keysize 0', remote='keysize 128'
Thus I also had to add the following to the Advance portion of the client setup
keysize 128; link-mtu 1544;
and change my cipher. So the moral of that is look at your log file. it'll help.
Hi All,
Having some issues with this setup. It looks like my VPN isn't connecting properly and i'm not sure why. In Status -> OpenVPN it shows that it's connected and when selecting the Gateway in my Firewall Rules its showing the OpenVPN IP next to it, but it doesn't seem to be routing the traffic properly, as i lose internet connectivity when routed through it.
I attempted to first route just that one IP and that didn't work, then i attempted ALL of my connections and that also didn't work. Can you give me some advice? I can provide logs or configs if you'd like to see.
I've tried adding LAN rules to block, putting an if source not on the last LAN rule, etc. Nothing seems to work. It either ends up blocking traffic for every IP, or allowing the host through without the VPN.
I put this floating rule on WAN out on all my installations. There is simply never any legitimate reason to allow RFC1918 addresses to egress your WAN. Apply action immediately (quick) is checked.
You could use the same technique on the source IP/Network that you never want to allow out (if I'm understanding the problem correctly.) And floating rules allow you to select multiple interfaces so I have mine on LAN and DSL so it catches even if multiwan swings over for some reason.

If someone could assist me with this I am happy to pay. I have to force specific traffic destined for internet to go to internet via the openvpn tunnel. Is there someone that can assist with this? Happy to pay if you know how to do this.
Hi All,
Having some issues with this setup. It looks like my VPN isn't connecting properly and i'm not sure why. In Status -> OpenVPN it shows that it's connected and when selecting the Gateway in my Firewall Rules its showing the OpenVPN IP next to it, but it doesn't seem to be routing the traffic properly, as i lose internet connectivity when routed through it.
I attempted to first route just that one IP and that didn't work, then i attempted ALL of my connections and that also didn't work. Can you give me some advice? I can provide logs or configs if you'd like to see.
Hi, I realise this is an old post, but wondering if you ever found out what was your problem? I am having exactly the same situation. I have set up the OpenVPN Client whose status says connected, the gateway, and NAT and Firewall rules. I set one machine via its IP address to route through the VPN tunnel, but nothing gets routed. Same if I try to route the whole subnet. The Gateway monitoring status shows as "Offline" but when selecting in the Firewall rules it does show the OpenVPN IP. In my case I'm using Witopia as VPN provider but I suspect that's not the issue.
Please start a new thread for your problem. Locking this one to prevent further necro.