Stopping internet if there is no openvpn tunnel



  • I would like to know the possibility to block internet traffic if the client side does not have his openvpn tunnel up and running.
    I have an openvpn server at our DC, but the client is connecting to our server and all traffic is forced over the tunnel, but I need to make sure that if the tunnel goes down then internet gets blocked for that client.
    is this possible.?



  • If you mean really client (not through Site-to-Site link with pfsense/some other router) - then no. In order to connect to your VPN Server at DC client should be able to reach it. And it reach VPN Server through Internet. So no Internet - no VPN.



  • @pan_2:

    If you mean really client (not through Site-to-Site link with pfsense/some other router) - then no. In order to connect to your VPN Server at DC client should be able to reach it. And it reach VPN Server through Internet. So no Internet - no VPN.

    sorry I meant site to site vpn is there a way?



  • If you use S2S through pfSense (doesn't matter what on other side), you can try to forcefully divert all traffic from LAN to OpenVPN tunnel, what, as side effect, will not allow outbound traffic through default gateway.

    Setup OpenVPN link to otherside;
    Go to Interfaces -> Assign, add an interface for corresponding ovpnc interface;
    Go to Interfaces -> YourNewInterface, hit ''Enabled'' checkbox AND DON'T touch anything other (besides name/description);
    Go to Rules -> LAN, add topmost rule:
    Proto ANY
    From LAN net
    To ANY
    Gateway - your OpenVPN Interface.

    Be carefull, though, this will force ALL traffic to tunnel, if you forget about it - you will have nightmares trying to diagnose any problems.
    Also, be sure to check what your tunnel is stable before adding redirect rule.



  • @pan_2:

    If you use S2S through pfSense (doesn't matter what on other side), you can try to forcefully divert all traffic from LAN to OpenVPN tunnel, what, as side effect, will not allow outbound traffic through default gateway.

    Setup OpenVPN link to otherside;
    Go to Interfaces -> Assign, add an interface for corresponding ovpnc interface;
    Go to Interfaces -> YourNewInterface, hit ''Enabled'' checkbox AND DON'T touch anything other (besides name/description);
    Go to Rules -> LAN, add topmost rule:
    Proto ANY
    From LAN net
    To ANY
    Gateway - your OpenVPN Interface.

    Be carefull, though, this will force ALL traffic to tunnel, if you forget about it - you will have nightmares trying to diagnose any problems.
    Also, be sure to check what your tunnel is stable before adding redirect rule.

    thanks for this, is this rule a filrewall rule? do I need to make a gateway rule as well or firewall should be enough



  • I have tried creating interface and made a firewall rule for lan to be passed, however the internet goes down when this rule is applied, and it seems more a dns thing, as Im able to ping ips directly.



  • I have tried another way which making the default gateway as the ovpn interface yet the internet goes down and I have to set the want as default gateway inorder to get it back, any suggestions on how I can achieve this?
    I just need the ovpn link to be used as the internet link and once the tunnel is down the internet goes down with it.
    just to add up the I have modified the default lan rule, shall I just keep the default rule and add another rule with ovpn ad the gateway?



  • Your pfsense router should be set with default gateway set to your ISP.
    But your LAN clients - should be diverted to OpenVPN interface gateway.
    Your ruleset should look like:

    1 rule:
    FROM LAN net
    TO LAN address
    Allow

    2 rule:
    FROM LAN net
    TO Any
    Allow
    Gateway - OpenVPN interface gateway.



  • thanks alot, I did it exactly yet its not working
    am I missing something?



  • goto System/Advanced/Miscellaneous & check Skip rules when gateway is down



  • @heper:

    goto System/Advanced/Miscellaneous & check Skip rules when gateway is down

    but why do I need this, I want it that even if the default gateway is up and the vpn link is down, client will not have internet



  • thats exactly what that checkbox is supposed to do…..

    Do not create rules when gateway is down
    By default, when a rule has a gateway specified and this gateway is down, the rule is created omitting the gateway. This option overrides that behavior by omitting the entire rule instead.

    you just need to make sure that there is no rule above&below it that allows the traffic out a different way



  • @pan_2:

    If you use S2S through pfSense (doesn't matter what on other side), you can try to forcefully divert all traffic from LAN to OpenVPN tunnel, what, as side effect, will not allow outbound traffic through default gateway.

    Setup OpenVPN link to otherside;
    Go to Interfaces -> Assign, add an interface for corresponding ovpnc interface;
    Go to Interfaces -> YourNewInterface, hit ''Enabled'' checkbox AND DON'T touch anything other (besides name/description);
    Go to Rules -> LAN, add topmost rule:
    Proto ANY
    From LAN net
    To ANY
    Gateway - your OpenVPN Interface.

    Be carefull, though, this will force ALL traffic to tunnel, if you forget about it - you will have nightmares trying to diagnose any problems.
    Also, be sure to check what your tunnel is stable before adding redirect rule.

    Thanks it did the trick with bit of tweaks, just wondering if I use multiwan can ovpn work and all traffic be forced, I will open a new topic on this



  • @heper:

    thats exactly what that checkbox is supposed to do…..

    Do not create rules when gateway is down
    By default, when a rule has a gateway specified and this gateway is down, the rule is created omitting the gateway. This option overrides that behavior by omitting the entire rule instead.

    you just need to make sure that there is no rule above&below it that allows the traffic out a different way

    Thanks it did work, just wondering if I have multilans what do I need to do to make them work?


Log in to reply