How to only send specific route through OpenVPN client connection

soupdiver

I have a weird problem with my ISP which results in a broken routing and I only get around 100kb/s from github. It's not clear when/if this will be resolved.
To work around this problem I tried to setup that only traffic to that specific route should travel through my VPN.

VPN provider is NordVPN and I used their howto to setup my client: https://support.nordvpn.com/Connectivity/Router/1089079142/pfSense-2-4-4-setup-with-NordVPN.htm

I did not apply all the settings because I don't want to send everything through the VPN but made some "best guesses" about what I need and what not. The VPN connection seems to work (I get an IP and traffic flows) but my configuration seems not 100% correct.

My naive approach was to create a static route for the desired network (140.82.112.0/20) and assign it to the NordVPN gateway.
This seemed to kind of work. My github downloads were ok again but Amazon Prime started to say we're using a VPN. So somehow more than just the wanted traffic went through the VPN but for sure not everything. Also my IP address was detected not as my home IP but as the VPN IP I guess.

So my question: How do I configure my routes/NAT/FW rules that only traffic for specific networks is sent through the VPN connection but not all the other traffic?

bingo600

Policy routing

That way you can control (match) the source ip (local ip) , and set it to forward "only the matches" via the OpenVPN Gateway.

I gave some hints here
https://forum.netgate.com/post/954969

Edit:
There might be something with an option "Don't pull routes" , that can come in handy. Haven't tried it

https://forum.netgate.com/topic/148615/openvpn-client-port-forward-guidance

soupdiver

@bingo600 ok, I could get the FW rules working. I think my ordering was wrong.

However this brought up another interesting issue.
I added a FW on the LAN interface with my computers ip as the source , destination 52.0.0.0/8 and gateway my nordvpn gateway.
On my machine I could verify via traceroute that this seems to work. On another machine it's still the original state.

But: After adding this rule netflix.com won't load anymore on any computer in the network via IPv6. Seems Netflix prefers IPv6.
Using curl shows that the request hangs in 7/10 times. Forcing curl to use IPv4 makes it work. I would expect that the other clients would also fallback to v4 but they hang. After removing my previously added rule Netflix loads fine via v6 again.

I have no idea how this should be related. Maybe something on a different layer

bingo600

@soupdiver

Netflix is a totally different beast , that does a lot to detect if you are "cheating"
There are other posts on this forum that explains about that.

soupdiver

@bingo600 said in How to only send specific route through OpenVPN client connection:

@soupdiver

Netflix is a totally different beast , that does a lot to detect if you are "cheating"
There are other posts on this forum that explains about that.

Yea but what I don't understand is why it's affected at all. I add a filter rule for my machine on ipv4 and something on ipv6 breaks everywhere else.

What I can think of is that they probe not only my v6 but also v4 addresses and maybe shutdown everything if it looks suspicious. Who knows. Guess I have to finder another exit