route one site via openvpn

viragomann

@l4z0a5
Which VPN is this? A site2site where both are managed by you or a VPN provider you connect with your client to?

Which kind of traffic do you want to route over? Is it upstream traffic or is the destination device on the remote site?

l4z0a5

@viragomann

The vpn provider is keepsolid. Set it up as a client based on their docs and it does show up.


I am wanting to route my iptv via the vpn as the isp appears to throttle streaming. I tried with an alias for either the url or port as it is unique for it.

viragomann

@l4z0a5
Did you configure the Outbound NAT for the VPN?

KOM

@l4z0a5 Your LAN rule shown above currently has all traffic from LAN net (everyone) from any port going to destination KeepSolidVPN to any port. What's in the KeepSolidVPN alias? You don't route traffic by using the address of the VPN as the destination. The destination is where you're trying to go. The VPN is just the gateway to get there.

If you want to route one client's traffic out the VPN, the Source should be that client's IP address, any port, any destination, any port, gateway your VPN. Don't forget to reset the states for that client or the existing states will continue out the default gateway.

l4z0a5

thanks guys

this is my outbound NAT. I may have added one of the rules to see if it made a difference.

my alias is
KeepSolidVPN site1.com, site2.com

My thought on the firewall rule was that it would see all traffic on the LAN match traffic based on the info in keepsolidvpn and route traffic that matched to the keep solid gateway. Tried the same with ports as well without luck.

I specifically want to only route traffic by destination domain or port. The app is on my tv and would like rest of the traffic to go out via regular WAN eg. Netflix.

KOM

@l4z0a5 You don't need that first nat rule, assuming your lan is 10.111.222.0/24. I don't know what you're trying to do with that rule.

l4z0a5

This post is deleted!

KOM

The outbound nat rule you just deleted is wrong. Here is an example. I want the IPs in KOM_VPN_USERS to use the VPN tunnel if they try to talk to anything on the 10.10.0.0/16 network. Everything else goes out the default WAN. The outbound NAT rule tells pfSense to send the packets using the OpenVPN interface address. My home network is 192.168.88.0/24.

l4z0a5

@kom
Thanks KOM.. finally got it work had more than one issue but all good now. more testing but setup an alias to https://www.whatismyip.com and shows neither my WAN or other VPN gateway :)

my rules just incase anyone ever has the same thing

Alias:

Firewall -> Rules -> LAN

KSVPN Just the name I gave it under Interfaces/Interface Assignments

Firewall/NAT/Outbound

how I ended up here

one of the issues I had was the gateway was actually down.

tried to route via existing vpn which finally got to work with the proper NAT rules.

Changed the monitoring gateway to 8.8.8.8 which then showed the gateway up

KOM

@l4z0a5 said in route one site via openvpn:

Changed the monitoring gateway to 8.8.8.8 which then showed the gateway up

Then you're not really monitoring the gateway but Google. The IP address and gateway for the tunnel should be provided by the server end when they first connect.

l4z0a5

@kom I agree with you but for some reason it was failing to ping the gateway. thanks for your help along the way