Which method of routing traffic over OpenVPN is correct?



  • From what I've found, there are two different methods of routing all internet traffic via an OpenVPN connection. Which is the correct method? Where is the NAT being applied in option 2? Why choose option 1 over option 2 or vice versa?

    Option 1 as seen here:

    1. Create OpenVPN connection
    2. Modify outbound NAT rules to NAT traffic out the OpenVPN interface

    Option 2 as seen here: Where is NAT applied?

    1. Create OpenVPN connection
    2. Create a new interface assinged to the OpenVPN connection created in step 1
    3. Create a gateway using the interface created in step 2
    4. Create an advanced firewall rule that routes traffic to the gateway created in step 3.

    Thanks



  • I'm not entirely sure that option 2 will work without outbound NAT rules.  But the major distinction here is whether you want absolutely all of your traffic to go through your VPN client or only some of it.  I prefer the "only some of it" approach (policy routing) because it allows greater flexibility and it's pretty easy to use it to force all traffic through the VPN too if that's what you want.  But I don't see either of these guides address the "Don't pull routes" option in the VPN client configuration, which is rather important.  If you want all your traffic to go through your VPN whenever it's connected, you can leave "Don't pull routes" un-checked; but if you want to use policy routing (i.e. create firewall rules to pass certain traffic through your VPN) you want the "Don't pull routes" option checked.

    For outbound NAT, I think that regardless of which approach you take, you need outbound NAT rules for however many VPN client interfaces you have.  But you don't want to just edit (effectively removing) the existing outbound rules for your WAN interface unless you want to prohibit any traffic from egressing the WAN interface when your VPN client is not connected.  What I would advise is adding new outbound rules patterned on the existing WAN rules, but changing the interface to your VPN client interface and the NAT address to the VPN client interface address.  In other words, follow steps 15 and 16 from the Option 1 guide, but instead of clicking the "Edit mapping" option, click the "Add a new mapping based on this one" option.

    You still can easily prohibit traffic that is policy routed through your VPN from egressing the WAN interface when your VPN client is not connected using packet tagging:  https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN



  • @TheNarc:

    The major distinction here is whether you want absolutely all of your traffic to go through your VPN client or only some of it

    Thanks for that information. However, with minor modifications to either option I can selectively route traffic via OpenVPN. I still don't understand what the difference is between creating an interface and modifying the outbound NAT rules vs using policy based routing without creating a new interface.



  • I don't think that you can use policy routing without creating a new interface, because policy routing means using firewall rules to assign traffic to a given gateway, and I don't think that you can create a gateway for your VPN client before you create an interface for it.  The guide for Option 1 doesn't seem to cover creating an interface, but then it refers to a VPN interface when it covers outbound NAT.  Neither of those guides seems especially great to me in terms of being comprehensive.  I can say that in my setup, I have a VPN client connection, created an interface for it, created a gateway for it, and then use policy routing to selectively route traffic through that gateway using firewall rules.  I also added outbound NAT rules for the VPN client's interface.  I'm glad to provide more details of my configuration if they may be useful, but I didn't want to just dump screenshots of everything that may be relevant :)  I guess my main points are that whether you do policy routing or not, I think you always need to create an interface and add outbound NAT rules.  NordVPN's guide is decent I think, although it also appears to gloss over creating a gateway after creating the interface:  https://nordvpn.com/tutorials/pfsense/pfsense-openvpn/



  • @TheNarc:

    I don't think that you can use policy routing without creating a new interface, because policy routing means using firewall rules to assign traffic to a given gateway, and I don't think that you can create a gateway for your VPN client before you create an interface for it.

    I don't think it's possible either. However, with option 1, I think it would be possible to route specific traffic via the outbound NAT rules. Creating an OpenVPN client and associating it with an interface makes sense to me. That way you can add firewall rules etc as if it were a "real interface".

    What's confusing me are these tutorials that show it can be done without associating it with an interface. There's several more out there that describe doing it this way. That makes no sense to me. Further adding to my confusion is the "Gateway creation" option in the OpenVPN client configuration page. The description for the option is "Gateway creation If you assign a virtual interface to this OpenVPN client, this setting controls which gateway types will be created. The default setting is 'both'." Note where it states "If you assign a virtual interface to this OpenVPN client" meaning, there are situations where one might not want to create a virtual interface for an OpenVPN client. In what scenario would anyone NOT want to create a virtual interface for an OpenVPN client?

    FWIW Here's another tutorial explaining setup using option 1 (not creating interface for openvpn): https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-setup-pia-on-pfsense-2-4-2



  • Yeah I can't think of a case in which you would not want to create an interface.  Even in the tutorials that don't specify creating an interface, they refer to the outbound NAT rules, which require you to select an interface.  Is there something specific holding up your configuration, or do you just want to understand this better?  I may be able to help with the former, but I don't have an answer for why you would not want to create an interface for your VPN client configuration.



  • @TheNarc:

    Is there something specific holding up your configuration, or do you just want to understand this better?

    I want to understand it better.



  • Understood, I wouldn't mind understanding it better myself :)  But unfortunately I don't know why (or even if it is possible) to configure and use a VPN client connection without subsequently assigning an interface to it.  Hopefully someone more knowledgeable will drop by . . .