Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN client with, list of pulled routes and multi-WAN.

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 738 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coldnight
      last edited by

      Hi,

      I use pfSense 2.4.2 with 3 interfaces (WAN1, WAN2, and LAN).

      pfSense's OpenVPN client gets private IP from server - and also a list of two hundreds public IP-addresses ("servers"), which should be routed through this VPN (vpn server does NAT).

      Single WAN: everything works as expected; LAN can successfully access "servers" through VPN.

      Multi-WAN: access from LAN to "servers" doesn't work, traffic goes through WAN group. I understand that in multi-WAN mode, openvpn routing rules are ignored, and I need to add a "policy negation rule" (with default gw) above my multiwan rule. But I can't manually list 200 addresses in 'dst'.

      I read a lot of posts, but still don't see a solution.

      One possible solution would be auto-adding pulled openvpn routes to some 'virtual IP' (in Linux I'd say it's "ipset"), which will make writing fw rule trivial. Is it possible?

      Or, at least, is there a way to manually (REST API, CLI) configure 'virtual IP' addresses? I have access to "servers" list, it rarely changes, so I can write some simple script to "sync" current list with 'virtual IP'..

      OpenVPN server is not under my control; I can ask for small config changes, but overall architecture cannot be changed.

      Thanks a lot for all ideas.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        You can just import the list as an alias in pfSense (Firewall > Aliases > IP) and use this one in the rule.

        If you don't want to update the list when it changes, you can also use pfBlocker, which is capable to provide an alias to you based on a list and update it automatically.

        1 Reply Last reply Reply Quote 0
        • C
          coldnight
          last edited by

          I don't understand how I missed this 'import' button.. Now it works. Thanks!

          And also thanks for idea of updating list with pfBlocker - I'm new to pfSense, didn't know about this package (and now I have an idea of creating package which will auto-create/update aliases based on openvpn routes).

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.