How can I prevent client Internet traffic from going through the VPN?

grimzecho

I have a Netgate 2100 sitting behind a cable modem. The modem is performing NAT, and is port-forwarding 1190 to the private IP reserved to the Netgate device. PFSense is set up with a standard OpenVPN configuration following their documentation (but with a custom port)

I specifically have the Redirect IPv4/6 Gateway boxes unchecked. The IPv4 Tunnel Network is set to 192.168.190.0/24, and the IPv4 Local Networks has a single entry of 192.168.1.1/24. Appropriate firewall rules were added to the OpenVPN tab.

I am able to successfully connect to the OpenVPN service and access local LAN resources on the 192.168.1.x subnet. However, all of my other Internet traffic is also being redirected, which I don't want. The Netgate box is going to eventually replace our small office's obsolete Sonicwall device, but we do not have the Internet bandwidth to route all client traffic through our office's ISP. We only want to use the VPN to allow remote employees to access internal LAN resources. Other Internet traffic should go through each client's ISP as normal.

I'm connecting to the OpenVPN server using the exported .openvpn connection profile from a Linux laptop. More specifically, I'm using Plasma's (on Debian) connection manager to import and create a new VPN connection.

This is the configuration information in the config.ovpn file:

dev tun
persist-tun
persist-key
data-ciphers ...
data-ciphers-fallback ...
auth SHA256
tls-client
client
resolv-retry infinte
remote <manually_changed_to_public_static_ip_of_modem> 1190 udp4
nobind
verify-x509-name "www.ourcompany.com" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify

<ca>
... bunch of certificates

A route command on the client shows the following line:

Destination         Gateway    Genmask                Flags    Metric    Ref    Use    Iface
-----------------------------------------------------------------------------------------------------------------
default             _gateway    0.0.0.0               UG       50        0       0      tun0
default             _gateway    0.0.0.0               UG       600       0       0      wlp2s0
<public_ip>-st      _gateway    255.255.255.255       UGH      600       0       0      wlp2s0

tun0 is the VPN interface, and wlp2s0 is the interface for the WiFi. If I'm reading this right, everything is being routed through tun0 since it has a lower metric than the public_ip route. Is that accurate?

What can I do to prevent non-LAN traffic from going through the VPN? I need a solution that doesn't require advanced setup on each client machine. I was under the impression that selecting the right options on the PFSense VPN configuration would influence the exported configuration file in such a way that this should work.

viragomann

@grimzecho said in How can I prevent client Internet traffic from going through the VPN?:

I specifically have the Redirect IPv4/6 Gateway boxes unchecked.
and the IPv4 Local Networks has a single entry of 192.168.1.1/24.

You should use network addresses here, so 192.168.1.0/24.
However, this might not be the cause of your issue.

With the local network stated, OpenVPN should push the proper to the client, however...

I'm connecting to the OpenVPN server using the exported .openvpn connection profile from a Linux laptop. More specifically, I'm using Plasma's (on Debian) connection manager to import and create a new VPN connection.

I guess, this the the NetworkManager. This tool has a known issue of routing the whole upstream traffic over the VPN without an additional setting.

To avoid this, edit your connection, go to IPv4 > routes. There you should see a check box to apply the routes for the respective connection or a similar term.

What can I do to prevent non-LAN traffic from going through the VPN?

As you can see, it's on the client to route traffic to the the server site.
So on pfSense you can only limit destination in the pass rule on the OpenVPN interface to your local networks to avoid this.

grimzecho

@viragomann said in How can I prevent client Internet traffic from going through the VPN?:

To avoid this, edit your connection, go to IPv4 > routes. There you should see a check box to apply the routes for the respective connection or a similar term.

Thanks. I found a setting for the VPN connection under IPv4 --> Routes called "Ignore automatically obtained routes". I enabled it, applied and saved changes, then disconnected and reconnected both WiFi and VPN, but Internet traffic is still being routed through the VPN.

grimzecho

@viragomann Disregard -- I was using the wrong option.

Enabling the "Use only for resources on this connection" checkbox corrected the behavior.

Thanks!