Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN only for certain network?

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sensewolf
      last edited by

      Hi,
      So I set up a client in pfSense to connect to a VPN via OpenVPN. And that, in itself, seems to work.
      The guide I was following setting this up suggested to use outbound NAT to route my LAN through the VPN - not sure if that is the proper way to do it but that's what the guide suggested. And that, too, worked.
      However, I don't want to route all traffic from my LAN through the VPN. So firstI removed the outbound NAT rules again but "suddenly" nothing seemed to work anymore.
      Took me a while to figure out that the VPN was listed in the routing table as a route to 0.0.0.0 which, I am guessing, took precedence over my default gateway. Once I shutdown the OpenVPN service, everything was back to normal.
      I want to route only traffic from a certain network, OPT, through the VPN. What is the best way to tell pfSense to only route the traffic from my OPT network through the VPN but let the rest go through the normal WAN interface?
      Thanks

      S 1 Reply Last reply Reply Quote 0
      • S
        sensewolf @sensewolf
        last edited by

        Okay, so something that does not work is: Creating a floating rule that will send everything that comes from any net other than OTP through the default gateway (leaving the OPT traffic to go through the 0.0.0.0 route).

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @sensewolf
          last edited by

          @sensewolf
          If you want to pass traffic only from certain interfaces over the vpn, you should prohibit adding routes by OpenVPN. To do so, check "Don't pull routes" in the client settings.

          Then add a policy routing rule to the desired interface.
          But consider that a policy routing rule directs the whole matching traffic to the stated gateway. So with such rule you are not able to access neither other internal subnets nor pfSense itself (possibly for DNS resolution). That might be the reason for your trouble with the floating rule, you've added.

          So if you need as well connections from this interface to other internal network segments or pfSense, you have to add an additional rule for that with default gateway option, matching only the needed internal network destinations and put this rule to the top of the rule set.

          S 1 Reply Last reply Reply Quote 0
          • S
            sensewolf @viragomann
            last edited by

            @viragomann
            Thanks! That sounds good.

            But: I just tried and checking "Don't pull routes" (in the OpenVPN settings) doesn't seem to make a difference: Once I start the VPN service, the 0.0.0.0 route shows up again in the routing table.

            Do I need to do anything else to make this work?

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @sensewolf
              last edited by

              @sensewolf
              No, when "don't pull is checked" in the OpenVPN client settings, OpenVPN should not add routes. If it does anyway, there might be something wrong.

              S 1 Reply Last reply Reply Quote 0
              • S
                sensewolf @viragomann
                last edited by

                @viragomann

                Thanks for confirming.

                But whether "Don't pull routes" is checked or not, once I start the service, a 0.0.0.0 route is added to my routing table.

                So what could be wrong for this to happen?

                I had hoped that maybe rebooting would help. But it doesn't.

                I am on pfSense 2.5 - could this be the problem? I see other posts about issues with OpenVPN under 2.5 (not this particular issue, but issues with OpenVPN). Can anyone confirm whether "Don't pull routes" actually works on 2.5?

                V S 2 Replies Last reply Reply Quote 0
                • F
                  fearnight
                  last edited by fearnight

                  Just wanted to chime in and say I finally got my setup working after finding this thread. All I had to do was uncheck "Don't pull routes" and it started working. I was having the same symptoms as @sensewolf before.

                  I did follow these steps for the setup, so yours could be different.
                  https://everythingsmarthome.co.uk/howto/setup-a-pia-vpn-with-pfsense-2-4-5/

                  I'm on pfSense 2.5.0 as well.

                  My setup is to have a single OPT port / interface tunneled through the VPN, then I wanted all the other interfaces non-VPN. I had the same problem before where once OpenVPN started up, all the interfaces EXCEPT the VPN interface would have Internet access terminated. Stopping the VPN client would magically restore access instantly to all interfaces. Works now so thanks for the advice.

                  S 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @sensewolf
                    last edited by

                    @sensewolf
                    I'm not experienced in 2.5, but never read about such routing issues.
                    However, some people got it work on 2.5 they torn it down and rebuild again.

                    So what could be wrong for this to happen?

                    Can you provide more details? OpenVPN client config, OpenVPN log of connection establishing, routing table.

                    1 Reply Last reply Reply Quote 0
                    • S
                      sensewolf @sensewolf
                      last edited by

                      @sensewolf

                      @viragomann said in OpenVPN only for certain network?:

                      @sensewolf
                      If you want to pass traffic only from certain interfaces over the vpn, you should prohibit adding routes by OpenVPN. To do so, check "Don't pull routes" in the client settings.

                      Then add a policy routing rule to the desired interface.
                      But consider that a policy routing rule directs the whole matching traffic to the stated gateway. So with such rule you are not able to access neither other internal subnets nor pfSense itself (possibly for DNS resolution). That might be the reason for your trouble with the floating rule, you've added.

                      So if you need as well connections from this interface to other internal network segments or pfSense, you have to add an additional rule for that with default gateway option, matching only the needed internal network destinations and put this rule to the top of the rule set.

                      Getting closer:
                      I found the culprit. The VPN config of my VPN provider contained "redirect-gateway" which, I understand, does exactly what I described above.
                      Once I removed this line from the config, the 0.0.0.0 stopped appearing in my routing table. So that's that.

                      Now I am working on the rest of your advice: I have added a firewall rule for the interface the traffic from which I want to go through the VPN but for some reason, that doesn't work yet. Keeping trying...

                      V 1 Reply Last reply Reply Quote 0
                      • S
                        sensewolf @fearnight
                        last edited by

                        @fearnight said in OpenVPN only for certain network?:

                        Just wanted to chime in and say I finally got my setup working after finding this thread. All I had to do was uncheck "Don't pull routes" and it started working. I was having the same symptoms as @sensewolf before.

                        Sorry, did you mean to say you checked the box "Don't pull routes" or did you actually uncheck it (which I would find even more counter intuitive than everything else that is happening on my pfSense in this context)?

                        F 1 Reply Last reply Reply Quote 0
                        • V
                          viragomann @sensewolf
                          last edited by

                          @sensewolf
                          You didn't mention that you used a pre-built config from the provider before.
                          Yes, "redirect-gateway" does exactly the same, but it's the actively setting to add the default route on the client. So the "Don't pull" is toothless.

                          S 1 Reply Last reply Reply Quote 0
                          • S
                            sensewolf @viragomann
                            last edited by

                            @viragomann said in OpenVPN only for certain network?:

                            @sensewolf
                            You didn't mention that you used a pre-built config from the provider before.

                            Yes, that's right. Because I have no clue how this stuff works or what I am doing

                            Yes, "redirect-gateway" does exactly the same, but it's the actively setting to add the default route on the client. So the "Don't pull" is toothless.

                            1 Reply Last reply Reply Quote 0
                            • F
                              fearnight @sensewolf
                              last edited by

                              @sensewolf said in OpenVPN only for certain network?:

                              @fearnight said in OpenVPN only for certain network?:

                              Just wanted to chime in and say I finally got my setup working after finding this thread. All I had to do was uncheck "Don't pull routes" and it started working. I was having the same symptoms as @sensewolf before.

                              Sorry, did you mean to say you checked the box "Don't pull routes" or did you actually uncheck it (which I would find even more counter intuitive than everything else that is happening on my pfSense in this context)?

                              Right, I typed this wrong. Sorry. I went in and "checked" the box in the OpenVPN client config. It was unchecked by default.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.