OpenVPN only for certain network?

sensewolf

Hi,
So I set up a client in pfSense to connect to a VPN via OpenVPN. And that, in itself, seems to work.
The guide I was following setting this up suggested to use outbound NAT to route my LAN through the VPN - not sure if that is the proper way to do it but that's what the guide suggested. And that, too, worked.
However, I don't want to route all traffic from my LAN through the VPN. So firstI removed the outbound NAT rules again but "suddenly" nothing seemed to work anymore.
Took me a while to figure out that the VPN was listed in the routing table as a route to 0.0.0.0 which, I am guessing, took precedence over my default gateway. Once I shutdown the OpenVPN service, everything was back to normal.
I want to route only traffic from a certain network, OPT, through the VPN. What is the best way to tell pfSense to only route the traffic from my OPT network through the VPN but let the rest go through the normal WAN interface?
Thanks

sensewolf

Okay, so something that does not work is: Creating a floating rule that will send everything that comes from any net other than OTP through the default gateway (leaving the OPT traffic to go through the 0.0.0.0 route).

viragomann

@sensewolf
If you want to pass traffic only from certain interfaces over the vpn, you should prohibit adding routes by OpenVPN. To do so, check "Don't pull routes" in the client settings.

Then add a policy routing rule to the desired interface.
But consider that a policy routing rule directs the whole matching traffic to the stated gateway. So with such rule you are not able to access neither other internal subnets nor pfSense itself (possibly for DNS resolution). That might be the reason for your trouble with the floating rule, you've added.

So if you need as well connections from this interface to other internal network segments or pfSense, you have to add an additional rule for that with default gateway option, matching only the needed internal network destinations and put this rule to the top of the rule set.

sensewolf

@viragomann
Thanks! That sounds good.

But: I just tried and checking "Don't pull routes" (in the OpenVPN settings) doesn't seem to make a difference: Once I start the VPN service, the 0.0.0.0 route shows up again in the routing table.

Do I need to do anything else to make this work?

viragomann

@sensewolf
No, when "don't pull is checked" in the OpenVPN client settings, OpenVPN should not add routes. If it does anyway, there might be something wrong.

sensewolf

@viragomann

Thanks for confirming.

But whether "Don't pull routes" is checked or not, once I start the service, a 0.0.0.0 route is added to my routing table.

So what could be wrong for this to happen?

I had hoped that maybe rebooting would help. But it doesn't.

I am on pfSense 2.5 - could this be the problem? I see other posts about issues with OpenVPN under 2.5 (not this particular issue, but issues with OpenVPN). Can anyone confirm whether "Don't pull routes" actually works on 2.5?

fearnight

Just wanted to chime in and say I finally got my setup working after finding this thread. All I had to do was uncheck "Don't pull routes" and it started working. I was having the same symptoms as @sensewolf before.

I did follow these steps for the setup, so yours could be different.
https://everythingsmarthome.co.uk/howto/setup-a-pia-vpn-with-pfsense-2-4-5/

I'm on pfSense 2.5.0 as well.

My setup is to have a single OPT port / interface tunneled through the VPN, then I wanted all the other interfaces non-VPN. I had the same problem before where once OpenVPN started up, all the interfaces EXCEPT the VPN interface would have Internet access terminated. Stopping the VPN client would magically restore access instantly to all interfaces. Works now so thanks for the advice.

viragomann

@sensewolf
I'm not experienced in 2.5, but never read about such routing issues.
However, some people got it work on 2.5 they torn it down and rebuild again.

So what could be wrong for this to happen?

Can you provide more details? OpenVPN client config, OpenVPN log of connection establishing, routing table.

sensewolf

@sensewolf

@viragomann said in OpenVPN only for certain network?:

@sensewolf
If you want to pass traffic only from certain interfaces over the vpn, you should prohibit adding routes by OpenVPN. To do so, check "Don't pull routes" in the client settings.

Then add a policy routing rule to the desired interface.
But consider that a policy routing rule directs the whole matching traffic to the stated gateway. So with such rule you are not able to access neither other internal subnets nor pfSense itself (possibly for DNS resolution). That might be the reason for your trouble with the floating rule, you've added.

So if you need as well connections from this interface to other internal network segments or pfSense, you have to add an additional rule for that with default gateway option, matching only the needed internal network destinations and put this rule to the top of the rule set.

Getting closer:
I found the culprit. The VPN config of my VPN provider contained "redirect-gateway" which, I understand, does exactly what I described above.
Once I removed this line from the config, the 0.0.0.0 stopped appearing in my routing table. So that's that.

Now I am working on the rest of your advice: I have added a firewall rule for the interface the traffic from which I want to go through the VPN but for some reason, that doesn't work yet. Keeping trying...

sensewolf

@fearnight said in OpenVPN only for certain network?:

Just wanted to chime in and say I finally got my setup working after finding this thread. All I had to do was uncheck "Don't pull routes" and it started working. I was having the same symptoms as @sensewolf before.

Sorry, did you mean to say you checked the box "Don't pull routes" or did you actually uncheck it (which I would find even more counter intuitive than everything else that is happening on my pfSense in this context)?

viragomann

@sensewolf
You didn't mention that you used a pre-built config from the provider before.
Yes, "redirect-gateway" does exactly the same, but it's the actively setting to add the default route on the client. So the "Don't pull" is toothless.

sensewolf

@viragomann said in OpenVPN only for certain network?:

@sensewolf
You didn't mention that you used a pre-built config from the provider before.

Yes, that's right. Because I have no clue how this stuff works or what I am doing

Yes, "redirect-gateway" does exactly the same, but it's the actively setting to add the default route on the client. So the "Don't pull" is toothless.

fearnight

@sensewolf said in OpenVPN only for certain network?:

@fearnight said in OpenVPN only for certain network?:

Just wanted to chime in and say I finally got my setup working after finding this thread. All I had to do was uncheck "Don't pull routes" and it started working. I was having the same symptoms as @sensewolf before.

Sorry, did you mean to say you checked the box "Don't pull routes" or did you actually uncheck it (which I would find even more counter intuitive than everything else that is happening on my pfSense in this context)?

Right, I typed this wrong. Sorry. I went in and "checked" the box in the OpenVPN client config. It was unchecked by default.