Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Restrict PIA openvpn access to only ONE IP on my network…

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 930 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DrHorrible
      last edited by

      and have that IP address NOT have access to the internet in the even that the PIA link goes down.

      I have been searching a way to:

      • have pfsense connect to PIA, but only certain IP addresses on my LAN to route through PIA - the rest go through my regular connection.

      • when the connection to PIA goes down, the IP addresses that connect through PIA cannot access the internet.

      I searched high and low for a solution … finding and reading numerous tutorials along the way. Such as this one:
      https://forum.pfsense.org/index.php?topic=118196.0
      and this one: https://forum.pfsense.org/index.php?topic=72902.0
      both of which were valuable but neither of which were able to get my setup to work the way I want. Here is a summary of what finally worked for my setup:

      • follow this guide from PIA website: https://www.privateinternetaccess.com/pages/client-support/pfsense
        This one may be helpful also: https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-setup-pia-on-pfsense-2-4-2
        Check to ensure that you have a connection to PIA.

      • Under VPN -> OpenVPN -> Clients -> "edit the client for PIA"

      • Under "Tunnel Settings", make a check in the box next to "Don't pull routes". At this point you should not be able to connect to anything.

      • Go to Firewall -> Rules -> LAN and add a rule that has the following criteria:
            a. Action: Pass
            b. Interface: LAN
            c. Protocol: Any
            d. Source: single host or alias. Select the host or alias you want to route through PIA
            e. Destination: any
            f. Gateway: PIA_OPENVPN or whatever the name of your PIA gateway is
        Save.

      At this point, you should be able to connect to the internet from the machine(s) not listed under 4d (NOT through PIA) and the machines listed under 4d (through PIA)
      The next step will block the machines listed under 4d from connecting to the internet if the connection to PIA goes down:

      • 5  Create another rule that has the following criteria:
            a. Action: Block
            b. Interface: LAN
            c. Protocol: Any
            d. Source: single host or alias. Select the host or alias you want to route through PIA
            e. Destination: Any
        Save.

      IMPORTANT: place the rule created in step 5 BELOW the one from Step 4.
      Verify that the setup works as expected by disconnecting to PIA and attempting to reach the internet from the IP address(es) listed under 4d.

      If this helps anyone out, great! If anyone sees any errors please suggest correction! Thanks to muppet in the IRC channel for helping with this.

      1 Reply Last reply Reply Quote 1
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.