Routing certain ips through openvpn



  • Hi

    When setting my pfsense box up originally I followed the pfsense guide so all traffic is going out through PIA

    I have three interfaces setup at the moment

    LAN
    WAN
    and PIAVPN

    I have tried removing the PIA outbound nats but then I cannot connect externally

    how do I set it up so I can get everything out, but pass only certain ips through openvpn(PIA)

    I have followed a few guides online but they dont seem to work for me

    any help would be much appreciated

    Thanks very much in advance!



  • I don't know, if I understand exactly what you want to achieve, but maybe have a look at

    VPN -> OpenVPN -> Servers -> Edit -> Tunnel Settings -> IPv4 Local network(s)

    IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network.

    If you put a comma separated List of certain host adresses or subnets there, the VPN clients will get routes pushed to them.

    For example:
    192.168.1.0/24, 192.168.2.22/32

    This wil result in one route to the 192.168.1.0 255.255.255.0 Network and one route to the 192.168.2.22 host.

    Of course you have to adjust the firewall rules to allow the clients using these routes.

    [EDIT]
    Sorry. I guess you want it the other way around.

    So maybe have a look at:

    System -> Routing -> Static Routes

    There you can assign certain subnets and ips to be routet trough gateways other than the default gateway.



  • Thanks! Everything seems to be going out via openvpn until I turn off openvpn

    If I removed the openvpn Nat rules the connection stops altogether

    I want everything to go straight out to the Internet apart from the devices I want to go through openvpn

    Thanks again



  • That is to be done by policy routing.
    The PIA outbound NAT rule is needed, otherwise your devices want get any response from PIA.

    You have to avoid to get pushed the default route by PIA server: Go to the client settings and check "Don't pull routes".
    Add your devices which should be routed out to PIA to an alias.
    Add a firewall pass rule to the LAN interface with source = the alias you've added first, dest = any, go down and open the advanced options, at gateway select the PIA gateway.
    Put that rule to the top of the rule set.

    Consider that this firewall rule directs any traffic from concerned devices to PIA and permits access to the firewall itself. So if the devices should also have access to pfSense, e.g. for DNS, you have to add additional rules for that to the top of the rule set with leaving the gateway blank.



  • @viragomann:

    That is to be done by policy routing.
    The PIA outbound NAT rule is needed, otherwise your devices want get any response from PIA.

    You have to avoid to get pushed the default route by PIA server: Go to the client settings and check "Don't pull routes".
    Add your devices which should be routed out to PIA to an alias.
    Add a firewall pass rule to the LAN interface with source = the alias you've added first, dest = any, go down and open the advanced options, at gateway select the PIA gateway.
    Put that rule to the top of the rule set.

    Consider that this firewall rule directs any traffic from concerned devices to PIA and permits access to the firewall itself. So if the devices should also have access to pfSense, e.g. for DNS, you have to add additional rules for that to the top of the rule set with leaving the gateway blank.

    Thank you very much, that seems to work now, but the device is leaking my ISP, what do i need to do to stop this?

    I currently have the settings as shown in the pic, but not sure if it is correct

    Thanks again!




  • Yes, if the devices use the pfSense DNS and pfSense requests your ISPs DNS you will have a DNS leak.

    To avoid that, either configure the VPN devices to access a public DNS, which is routed over the VPN, or configure the pfSense DNS to route requests over the VPN.
    On pfSense if you use DNS Resolver you can select interfaces for outgoing requests at "Outgoing Network Interfaces". If you only select your PIA VPN interface here, requests are only sent out over the VPN.

    BTW: DNS prefers UDP over TCP, but may use bouth. So you should change the rule to TCP/UDP.



  • Thanks again!

    Yes i use dns resolver,

    how would I change it so only the VPNDevices would get a different dns result? to devices that go straight out?

    does my rule look okay apart from needing to be TCP/UDP?

    Thanks!!



  • If your pfSense provide DNS service it has to do request to public DNS servers on its part. You are able to select the interface for outgoing requests, but there is no possibility to use this interface only for certain internal devices.

    So an option is to configure the "VPN devices" to use a public DNS and go over the VPN. So you can delete the DNS rule.



  • thanks again, how would I change the "VPN Devices" to use a public dns?

    I'll delete that dns rule I created to



  • In the devices network settings.

    If the devices pull the settings from pfSense DHCP server you can set "DHCP Static Mappings" for each of them with specified DNS servers.



  • thanks!

    one of the devices I want to add has a static ip set to it, but it doesn't show in the dhcp table, the other device also has a static ip address and this shows in the dhcp table

    does it only work if dhcp is automatic and not manually set?

    any ideas?



  • think i have worked it out, I set them to assigned instead of static added the static leases in pfsense, and they seem to be applying okay,

    I have two dns servers set to the static leases, but when i run a leak test four are showing? why does this happen?

    Thanks again!


Log in to reply