• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How to only send specific route through OpenVPN client connection

Scheduled Pinned Locked Moved Routing and Multi WAN
5 Posts 2 Posters 732 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    soupdiver
    last edited by Jan 10, 2021, 11:05 AM

    I have a weird problem with my ISP which results in a broken routing and I only get around 100kb/s from github. It's not clear when/if this will be resolved.
    To work around this problem I tried to setup that only traffic to that specific route should travel through my VPN.

    VPN provider is NordVPN and I used their howto to setup my client: https://support.nordvpn.com/Connectivity/Router/1089079142/pfSense-2-4-4-setup-with-NordVPN.htm

    I did not apply all the settings because I don't want to send everything through the VPN but made some "best guesses" about what I need and what not. The VPN connection seems to work (I get an IP and traffic flows) but my configuration seems not 100% correct.

    My naive approach was to create a static route for the desired network (140.82.112.0/20) and assign it to the NordVPN gateway.
    This seemed to kind of work. My github downloads were ok again but Amazon Prime started to say we're using a VPN. So somehow more than just the wanted traffic went through the VPN but for sure not everything. Also my IP address was detected not as my home IP but as the VPN IP I guess.

    So my question: How do I configure my routes/NAT/FW rules that only traffic for specific networks is sent through the VPN connection but not all the other traffic?

    1 Reply Last reply Reply Quote 0
    • B
      bingo600
      last edited by bingo600 Jan 10, 2021, 11:46 AM Jan 10, 2021, 11:36 AM

      Policy routing

      That way you can control (match) the source ip (local ip) , and set it to forward "only the matches" via the OpenVPN Gateway.

      I gave some hints here
      https://forum.netgate.com/post/954969

      Edit:
      There might be something with an option "Don't pull routes" , that can come in handy. Haven't tried it

      https://forum.netgate.com/topic/148615/openvpn-client-port-forward-guidance

      If you find my answer useful - Please give the post a 👍 - "thumbs up"

      pfSense+ 23.05.1 (ZFS)

      QOTOM-Q355G4 Quad Lan.
      CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
      LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

      S 1 Reply Last reply Jan 10, 2021, 4:06 PM Reply Quote 0
      • S
        soupdiver @bingo600
        last edited by Jan 10, 2021, 4:06 PM

        @bingo600 ok, I could get the FW rules working. I think my ordering was wrong.

        However this brought up another interesting issue.
        I added a FW on the LAN interface with my computers ip as the source , destination 52.0.0.0/8 and gateway my nordvpn gateway.
        On my machine I could verify via traceroute that this seems to work. On another machine it's still the original state.

        But: After adding this rule netflix.com won't load anymore on any computer in the network via IPv6. Seems Netflix prefers IPv6.
        Using curl shows that the request hangs in 7/10 times. Forcing curl to use IPv4 makes it work. I would expect that the other clients would also fallback to v4 but they hang. After removing my previously added rule Netflix loads fine via v6 again.

        I have no idea how this should be related. Maybe something on a different layer

        B 1 Reply Last reply Jan 10, 2021, 4:25 PM Reply Quote 0
        • B
          bingo600 @soupdiver
          last edited by Jan 10, 2021, 4:25 PM

          @soupdiver

          Netflix is a totally different beast , that does a lot to detect if you are "cheating"
          There are other posts on this forum that explains about that.

          If you find my answer useful - Please give the post a 👍 - "thumbs up"

          pfSense+ 23.05.1 (ZFS)

          QOTOM-Q355G4 Quad Lan.
          CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
          LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

          S 1 Reply Last reply Jan 10, 2021, 4:48 PM Reply Quote 0
          • S
            soupdiver @bingo600
            last edited by Jan 10, 2021, 4:48 PM

            @bingo600 said in How to only send specific route through OpenVPN client connection:

            @soupdiver

            Netflix is a totally different beast , that does a lot to detect if you are "cheating"
            There are other posts on this forum that explains about that.

            Yea but what I don't understand is why it's affected at all. I add a filter rule for my machine on ipv4 and something on ipv6 breaks everywhere else.

            What I can think of is that they probe not only my v6 but also v4 addresses and maybe shutdown everything if it looks suspicious. Who knows. Guess I have to finder another exit 😁

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received