Vpn from specific hosts

aagaag

I have managed to set up OpenVPN for StrongVPN, and things are now working (after many hours of sweat and tears). The problem is now, everything is passing through the VPN, yet I want only the alias OVPN_clients to be served, whereas everybody else by default should be served by the WAN interface. I have read many posts, but I am still at loss. Here is a screenshot of my interface page. The WAN rule is on the top, and the OpenVPN has the no-pull option. Hence I thought that the clients would encounter the WAN rule and be done. Why do they end up on the VPN?

Any help would be appreciated!

Mappings
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description Actions
WAN 127.0.0.0/8 * * * WAN address * Auto created rule - localhost to WAN
WAN 10.10.0.0/16 * * * WAN address * Auto created rule - LAN to WAN
STRONGVPN 10.10.0.0/16 * * * STRONGVPN address * Auto created rule - LAN to WAN
STRONGVPN 10.10.0.0/16 * * * STRONGVPN address * Auto created rule - LAN to WAN
WAN 10.10.0.0/16 * * 500 WAN address * Auto created rule for ISAKMP - L2TP to WAN
WAN 10.10.0.0/16 * * * WAN address * Auto created rule - L2TP to WAN
WAN 10.10.0.0/16 * * 500 WAN address * Auto created rule for ISAKMP - L2TP server to WAN
WAN 10.10.0.0/16 * * * WAN address * Auto created rule - L2TP server to WAN

Untitled.png_thumb

viragomann

The screenshot only shows NAT mappings. That has nothing to do with directing traffic to anywhere.

If your whole traffic goes out the vpn interface it will be directed to there by routes on pfSense.
So show your routing table, your vpn settings and your firewall rules.

aagaag

heartfelt thanks for your willingness to help me. Here we go:

![Screenshot 2018-04-16 18.01.08.png](/public/imported_attachments/1/Screenshot 2018-04-16 18.01.08.png)
![Screenshot 2018-04-16 18.01.08.png_thumb](/public/imported_attachments/1/Screenshot 2018-04-16 18.01.08.png_thumb)
![Screenshot 2018-04-16 18.01.13.png](/public/imported_attachments/1/Screenshot 2018-04-16 18.01.13.png)
![Screenshot 2018-04-16 18.01.13.png_thumb](/public/imported_attachments/1/Screenshot 2018-04-16 18.01.13.png_thumb)
![Screenshot 2018-04-16 18.01.20.png](/public/imported_attachments/1/Screenshot 2018-04-16 18.01.20.png)
![Screenshot 2018-04-16 18.01.20.png_thumb](/public/imported_attachments/1/Screenshot 2018-04-16 18.01.20.png_thumb)
![Screenshot 2018-04-16 18.07.56.png](/public/imported_attachments/1/Screenshot 2018-04-16 18.07.56.png)
![Screenshot 2018-04-16 18.07.56.png_thumb](/public/imported_attachments/1/Screenshot 2018-04-16 18.07.56.png_thumb)

viragomann

Firewall rules have to be defined on the incoming interface!

So the rule on the STRONGVPN tab makes no sense. I don't think, you want to allow any incoming traffic from that vpn.
Edit that rule, change the interface in the rule to LAN and select the STRONGVPN gateway in the advanced options.
This moves that rule to the LAN tab.
Go to the LAN tab and move that rule to the top of the rule set.

In the "Default allow LAN to any rule" on LAN change the gateway to "Default". That's the culprit who directs all traffic over the vpn now.

aagaag

@viragomann:

Firewall rules have to be defined on the incoming interface!

You, Sir, are a hero! Now things work as expected. I will gladly send you a small token of appreciation via paypal (see PM).

The only remaining issue is that I think that I may need to do the same for IPv6. However configuring IPv4+6 disallows the gateway options.

The reason is a very unexpected behavior of an Android video streamer. When firing up Amazon Prime Video (from a European location, no VPN), some titles are geoprotected. StrongVPN has an Android VPN client app which connects the streamer directly to the tunnel, and (if the tunnel exits within North America) the geoprotection is defeated.

What is weird, however, is that moving the VPN entry to pfSense does not work: now the Android streamer will still be affected by the geoprotection, even if the public IP is correctly shown as that of the VPN (hence in America) and all geolocation services interpret the location as USA. I therefore suspect that there is some leak. Maybe DNS leak (but I do not think so), or maybe an IPv6 leak?

aagaag

I stand corrected. I do have a DNS leak. Might you be so kind and explain to me how I can ensure that traffic moving through the VPN uses a specific DNS server, and only that one?

viragomann

@aagaag:

The only remaining issue is that I think that I may need to do the same for IPv6. However configuring IPv4+6 disallows the gateway options.

Naturally, IPv6 requires an IPv6 gateway. So you cannot set the IPv4 VPN gateway for IPv6 traffic anyway.

@aagaag:

I stand corrected. I do have a DNS leak. Might you be so kind and explain to me how I can ensure that traffic moving through the VPN uses a specific DNS server, and only that one?

The simplest way would be to use an external DNS server on the concerned devices.
Assuming you use the DHCP server on pfSense to configure the network on your devices, add a static mapping for all devices you're directing over that vpn. In the static mapping you can define an external DNS like Googles 8.8.8.8 or what ever you want.
Since any traffic of that devices is directed over the vpn by the firewall rule, the DNS requests also have to go over the vpn.