Selective routing for OpenVPN clients



  • Is there anything under the hood in pfSense that will allow me to route OpenVPN users through to specific interfaces depending on either their user account, their user group or their source IP address?  The only solution I can think of myself is to simply create individual OpenVPN servers on the WAN each listening on a specific port and route each OpenVPN server through to a specific interface and just instruct each group to use their corresponding OpenVPN port number.  I don't want OPenVPN users from group 1 reaching or being routed to the internal interface intended for group 2 and vice versa.



  • If you have a large number of users in each group, setting up different vpn servers will be the best way. For each server you have to add a separate CA to generate users and server certs to avoid users to connect to the other server.

    If there have only a small number of users you may also set up a client specific override for each instead to force specific IPs to them.

    Both solutions require SSL/TLS-auth.



  • @yqjrnnxq:

    Is there anything under the hood in pfSense that will allow me to route OpenVPN users through to specific interfaces depending on either their user account, their user group or their source IP address?  The only solution I can think of myself is to simply create individual OpenVPN servers on the WAN each listening on a specific port and route each OpenVPN server through to a specific interface and just instruct each group to use their corresponding OpenVPN port number.  I don't want OPenVPN users from group 1 reaching or being routed to the internal interface intended for group 2 and vice versa.

    My reply may come as too late.  I do policy routing based on IP address and domain name generated by a streaming media channel on roku. 
    Clients
    Assign static IP addresses for each client.

    In firewall, alias, I create an alias containing the ip addresses for all clients that I want to go to thru a specific OpenVPN Client.  Then, in Firewall Rules, Lan, I create a firewall rule for these clients.  In the Source field, I select single host or alias, then enter the firewall alias I created which contains the client ip address.  Finally, in the advanced section, gateway field, I use the drop down list to select the OpenVPN client I want to route them to.  Then, click save.  You can repeat these steps for clients that you want to use the WAN and not go thru the vpn client.  I assign static IP address in DHCP for this to work.

    Domain Names
    Recently, I did something similar to route a streaming media channel to a second vpn client.  You can see how to get the domain names from DNS Resolver here:
    https://forum.pfsense.org/index.php?topic=134775.0
    Once you identify the domain names the site uses/generate, create another firewall alias of type hosts and enter the domain names.  Since I had many, I selected firewall, alias, all. This gave me a box to copy and paste into. I copied them from an excel spreadsheet where I had cleaned up the list of domain names and removed duplicates and the text before and after each domain name log entry.  I now create the firewall rule in the LAN. Since I want to route outbound traffic to the second vpn client, I use the Destination section, single host or alias, and select the firewall alias I created containing the domain names.  Down in advanced, I select the OpenVPN client gateway that I want to route traffic to.

    I recommend a reboot after making the changes.


Log in to reply