OpenVPN client with, list of pulled routes and multi-WAN.
-
Hi,
I use pfSense 2.4.2 with 3 interfaces (WAN1, WAN2, and LAN).
pfSense's OpenVPN client gets private IP from server - and also a list of two hundreds public IP-addresses ("servers"), which should be routed through this VPN (vpn server does NAT).
Single WAN: everything works as expected; LAN can successfully access "servers" through VPN.
Multi-WAN: access from LAN to "servers" doesn't work, traffic goes through WAN group. I understand that in multi-WAN mode, openvpn routing rules are ignored, and I need to add a "policy negation rule" (with default gw) above my multiwan rule. But I can't manually list 200 addresses in 'dst'.
I read a lot of posts, but still don't see a solution.
One possible solution would be auto-adding pulled openvpn routes to some 'virtual IP' (in Linux I'd say it's "ipset"), which will make writing fw rule trivial. Is it possible?
Or, at least, is there a way to manually (REST API, CLI) configure 'virtual IP' addresses? I have access to "servers" list, it rarely changes, so I can write some simple script to "sync" current list with 'virtual IP'..
OpenVPN server is not under my control; I can ask for small config changes, but overall architecture cannot be changed.
Thanks a lot for all ideas.
-
You can just import the list as an alias in pfSense (Firewall > Aliases > IP) and use this one in the rule.
If you don't want to update the list when it changes, you can also use pfBlocker, which is capable to provide an alias to you based on a list and update it automatically.
-
I don't understand how I missed this 'import' button.. Now it works. Thanks!
And also thanks for idea of updating list with pfBlocker - I'm new to pfSense, didn't know about this package (and now I have an idea of creating package which will auto-create/update aliases based on openvpn routes).