Multi VPN client/device bypass

  • I would like to

    1. Use multiple VPN clients
        Ideally these would be grouped together as a single WAN and would allow for a fallback in case one client goes down.

    2. Host a VPN server
        To provide access to my network so I access my NAS from outside my network.  I would like to setup DDNS to update my public IP.

    3.  Allow certain devices to bypass the VPN or force devices to use the VPN clients.
        Not all my devices need to use the VPN client WANs.  This will improve latency times.  I can give devices static address reservations based off a MAC address.  Items like my Arlo baby camera and the devices used to watch the feed do not need to go through the VPN.

    Network Setup
    I live in Germany and have a 50MB DSL connection.  I see 20 MB speeds most the time.  :(  My DSL modem is required due to my home phone capabilities are built into the modem.  It has no option to create a DMZ.  Currently there is an ethernet cable from my DSL modem to the WAN side of my pfsense machine  Then an ethernet cable feeding my internal network

    I have networking experience but not firewall experience.

    I can provide any other information that is needed.  Thank you

    PFSENSE 2.4.0 running on ESXI machine with

    4 CPUs x Intel(R) Core(TM) i5-3450 CPU @ 3.10GHz

    20 GB RAM

  • I currently have a single VPN client setup and it works but has latency issues at times and disconnects randomly while the ISP connection is still up.

    I have had multiple clients setup and running but my network stops passing traffic.

    With my network operational I have created a floating rule and assigned a single ip address to use the WAN and it still sends traffic out the VPN connection.  Under advanced/gateway my VPN is not an available selection.

  • There are a lot of questions like yours in the openvpn section. Some of them are by me. 🙂

    There are three sources I keep coming back to :

    2. pfSense Gold Hangout on OpenVPN covers this setup

    My two cents : take your time an make sure you understand what you are doing.  I had the basic config running in 4 hours with the document above and then started reading the forum. There are a lot of tweaks that can or cannot be interesting for an environment.

  • Thank you. Apparently I was on the right track somewhat. I now have traffic pointed to different exits based on the source IP address.

    I was creating the interfaces, but they were not being displayed as gateways when creating my rules. I did not realize I needed to enable the interface after I created it.

    Now I am working my way through setting up a VPN server. But that will be a project for another night.

  • What I learned from the forum after fighting with OpenVPN server and client :

    1. Make sure your servercertificate is actually a server certificate and users in usermanager have client certificates. So prettig obvious I’ve lost an hour troubleshooting why there were no clients available to export in the OpenVPN Client Export package. See attachment.

    2. Define the OpenVPN Server as an interface and configure access rules there. If you leave the rule created by the OpenVPN Server Wizar under Firewall/ Rules / OpenVPN untouched, you open up the internal LAN to all traffic originating from your VPN-provider. Not a good idea.

    3. Once you created the interface go to system / routing / gateways and disable monitoring on this gateway.

    4. If you want to use the pfSense DNS Resolver (so you specify the firewall interface as DNS under the OpenVPN server), you have to add the IP-range of your OpenVPN-clients to Services / DNS Resolver/ Access Lists.

    Hope this helps to give you a bit more sleep.  :) :)

    Kind regards.

  • Thank you for your reply.  I have the VPN server and I have multiple VPN client tunnels.  Now I just let them sit for a bit and see if I find issues with any traffic routing.  Thank you

  • I did the same. All kind of interesting questions come up and resolve themselves by the passing of time. 🙂

Log in to reply