Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Split tunnelling **screenshots**

    Scheduled Pinned Locked Moved OpenVPN
    26 Posts 5 Posters 3.1k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz

      You DON"T need to do that!!! But if you run the vpn software on your machine directly it will automatically be another interface that you can bind your p2p client too.

      As to setting up a vlan along with your normal connection. You would need a nic that supports multiple vlans on it.. windows doesn't make that easy like linux does.. Off the top the head I don't think in say normal windows 10 with direct support from the nic driver you can actually just create a vlan sub interface...

      But again you do not need to, just add a secondary IP to your interface...

      Here..

      Ethernet adapter Local:
      
         Connection-specific DNS Suffix  . :
         Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller
         Physical Address. . . . . . . . . : 00-13-3B-2F-67-62
         DHCP Enabled. . . . . . . . . . . : No
         Autoconfiguration Enabled . . . . : Yes
         IPv4 Address. . . . . . . . . . . : 192.168.9.100(Preferred)
         Subnet Mask . . . . . . . . . . . : 255.255.255.0
         Default Gateway . . . . . . . . . : 192.168.9.253
         DNS Servers . . . . . . . . . . . : 192.168.3.10
         NetBIOS over Tcpip. . . . . . . . : Enabled
      

      Now I added a secondary IP..

      secIP.jpg

      Ethernet adapter Local:
      
         Connection-specific DNS Suffix  . :
         Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller
         Physical Address. . . . . . . . . : 00-13-3B-2F-67-62
         DHCP Enabled. . . . . . . . . . . : No
         Autoconfiguration Enabled . . . . : Yes
         IPv4 Address. . . . . . . . . . . : 192.168.9.100(Preferred)
         Subnet Mask . . . . . . . . . . . : 255.255.255.0
         IPv4 Address. . . . . . . . . . . : 192.168.9.33(Tentative)
         Subnet Mask . . . . . . . . . . . : 255.255.255.0
         Default Gateway . . . . . . . . . : 192.168.9.253
         DNS Servers . . . . . . . . . . . : 192.168.3.10
         NetBIOS over Tcpip. . . . . . . . : Enabled
      

      Here is pfsense pinging that IP..

      ping.jpg

      Now just bind your p2p app to that 2nd IP, and policy route it - clickity clickity!

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      1 Reply Last reply Reply Quote 0
      • L Offline
        lifespeed
        last edited by

        Thanks, that was helpful!

        1 Reply Last reply Reply Quote 0
        • L Offline
          lifespeed
          last edited by

          Is there an IPv6 version of the above? I know where to find the network configuration in Windows, but wanting to do things correctly, there may be more to it than just typing in an IPv6 and changing the last 4 digits. The IPv6 the windows box gets now comes from prefix delegation from Comcast. Can I set up pfSense to hand out a second address to this machine? I'm getting "temporary" IPv6 addresses, but I doubt I want to use those as I believe they can change over time.

          Thanks again for the help.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            Your vpn supports IPv6? Unlikely..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            L 1 Reply Last reply Reply Quote 0
            • L Offline
              lifespeed @johnpoz
              last edited by

              @johnpoz said in OpenVPN Split tunnelling **screenshots**:

              Your vpn supports IPv6? Unlikely..

              Well, that wasn't an answer to the question at hand. I can choose a provider, some do support it, and as I've been working with pfsense I have found reasons to support IPv6.

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                How exactly are you going to route traffic out your vpn that support IPv6 from a client behind pfsense? On a different IPv6 address. You would have to NAT the ipv6 for that to work. The setup makes no sense..

                If want to do it with ipv6, then you would run the vpn client on the client - you wouldn't be policy routing traffic out a vpn connected to pfsense.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                L 1 Reply Last reply Reply Quote 0
                • L Offline
                  lifespeed @johnpoz
                  last edited by lifespeed

                  @johnpoz said in OpenVPN Split tunnelling **screenshots**:

                  How exactly are you going to route traffic out your vpn that support IPv6 from a client behind pfsense? On a different IPv6 address. You would have to NAT the ipv6 for that to work. The setup makes no sense..

                  By binding the application requiring VPN to the 2nd network connection associated with an additional IPv6 address on the PC. pfSense would route traffic from that address to the VPN. Couldn't this be a firewall rule, not NAT? Agreed NAT and IPv6 don't make sense.

                  If want to do it with ipv6, then you would run the vpn client on the client - you wouldn't be policy routing traffic out a vpn connected to pfsense.

                  I don't want to run the VPN client on the server PC, I'm already doing that and it has several drawbacks, the main one is the VPN becomes the network connection for everything and screws with WAN server access.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    For IPv6 vpn to work on pfsense, you would have to NAT to it... The vpn connection is not going to route your local IPv6 space..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                    L 1 Reply Last reply Reply Quote 0
                    • L Offline
                      lifespeed @johnpoz
                      last edited by

                      @johnpoz said in OpenVPN Split tunnelling **screenshots**:

                      For IPv6 vpn to work on pfsense, you would have to NAT to it... The vpn connection is not going to route your local IPv6 space..

                      If you're referring to a link-local address, of course not. You're saying it won't route a SLAAC IPv6 that is globally routable?

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        @lifespeed said in OpenVPN Split tunnelling **screenshots**:

                        You're saying it won't route a SLAAC IPv6 that is globally routable?

                        NO it wont - why would you think that would work?? VPN services work by handing you an IP they route, and then natting it to some public IP... You can not just use as source IP space they don't route.. Now if they would hand you clients IPv6 space they are routing, then you could do it.

                        Kind of how HE ipv6 works, its a tunnel - is just not encrypted, its just a GRE tunnel... If you find an vpn service that does that, then sure you could do it.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                        L 1 Reply Last reply Reply Quote 0
                        • L Offline
                          lifespeed @johnpoz
                          last edited by lifespeed

                          @johnpoz said in OpenVPN Split tunnelling **screenshots**:

                          Kind of how HE ipv6 works, its a tunnel - is just not encrypted, its just a GRE tunnel... If you find an vpn service that does that, then sure you could do it.

                          Thanks again for the description, I'll look into what is actually offered by these IPv6 VPN services. As you mention, a key question is do they hand you a single /128 address or a /64 or /60? For IPv6, a single /128 is not normal nor really keeping with the whole point of IPv6.

                          You're also making me wonder if HE tunnel could be a replacement for some aspects of a VPN - the anonymizing aspect, not encryption obviously.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            The prefix they hand the vpn client doesn't matter... and /128 is perfectly valid for a point to point connection like a vpn client to the vpn server... Work just fine when you run the vpn on the client.

                            When your doing it on the edge router, you have a problem for the other clients - you have to nat it to the IP given to the actual vpn client.. They are not routing a /64 prefix for you to use on all your clients - so if you want to use it you would have to nat to the IP they give the vpn client... Like what happens with IPv4.

                            Natting to IPv6 does work btw... if your interested in actually doing this.. But to be honest its just easier to spend your time/effort and money on just a box somewhere.. It's a much better solution across the board.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                            1 Reply Last reply Reply Quote 0
                            • E Offline
                              ekoo @johnpoz
                              last edited by ekoo

                              @johnpoz
                              Hi John,

                              I have a 1gbe up/down fibre up and down and its the only source of "information" to the house and my rental tenants (eg: home phone, internet, even stream the local radio).
                              The said "linux ISO's" are my main entertainment thru a said "P-server"... which is hosted on the NAS and serves about 25 accounts of "families and friends".
                              Luckily, most of my p2p'ing is from a private tracker site. its the odd occasional public site i download.
                              I'm in Canada, where P2P is decently friendly, depends on the tracker.
                              ExpressVPN's pricing isn't bad at all, considering I need something reliable to climb the GFW whenever i travel to China.

                              I was hoping in someway i could narrow down just Transmission thru VPN and not the said "P-server" on the same NAS.
                              From your explanation, it sounds like it can only be done with IP.

                              D 1 Reply Last reply Reply Quote 0
                              • D Offline
                                DaMaGe21 @ekoo
                                last edited by

                                @ekoo I am doing what your asking in your OP. But my setup is different. I have multiple Nics in my server and I can bind P2P to use one of those Nics. My router is pFSense with 8 ports to do whatever I want with.

                                So I setup pFSense to use Opt3(port3) to route all traffic through expressvpn, then on my server, I bind my P2P client to use Nic3 only.

                                I then set each nics index priority so that traffic is routed through nic1 first and so on. Only my P2P is traveling through VPN.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.