OpenVPN default gateway only for certain destination IP's
-
Hi
I have deoployed openvpn so all users connect to our openvpn server to have access to some resources that are online avaiblae like AWS . In vpn server settings i have enabled the pfsense vpn as default gateway (i.e. no split tunneling) so all traffic is routed via our pfsense. Now i want only the clients traffic to some destinations live ips say of AWS to be routed by client to vpn server gateway and remaining via their local IP.Please can someone guide me for below two use cases.
1: only route traffic from vpn clinets to few handful of known public ips via pfsense wan.
2: allow all vpn clients to route all traffic to aws/azure via our pfsense and all remaning via local isp assigned gateway.Regards.
-
@Snailkhan said in OpenVPN default gateway only for certain destination IP's:
S
Snailkhan
about 23 hours agoHi
I have deoployed openvpn so all users connect to our openvpn server to have access to some resources that are online avaiblae like AWS . In vpn server settings i have enabled the pfsense vpn as default gateway (i.e. no split tunneling) so all traffic is routed via our pfsense. Now i want only the clients traffic to some destinations live ips say of AWS to be routed by client to vpn server gateway and remaining via their local IP.Please can someone guide me for below two use cases.
1: only route traffic from vpn clinets to few handful of known public ips via pfsense wan.
2: allow all vpn clients to route all traffic to aws/azure via our pfsense and all remaning via local isp assigned gateway.Regards.
To achieve your goal, you need to configure policy-based routing and split tunneling in OpenVPN and PfSense. Here's how you can handle both use cases.
1. Route Only Specific Traffic to VPN (PfSense WAN)
You need to implement policy-based routing on the OpenVPN server side (PfSense) and configure OpenVPN client settings to only route traffic to specific AWS public IPs via the VPN tunnel, while other traffic goes directly to the client’s local ISP.
Steps:
-
On PfSense (VPN Server)
- Go to
Firewall>Rules>OpenVPN. - Add a new rule to allow traffic from the VPN clients to specific AWS IPs.
- In the Destination field, specify the public IP addresses of your AWS resources.
- Under Gateway, select the VPN Gateway (PfSense WAN).
- Save and apply the rules.
- Go to
-
On OpenVPN Client Configuration
-
Edit the client configuration
.ovpnfile or server-side configuration push:Add a route for each specific AWS IP you want to go through the VPN:
route <AWS-IP-1> 255.255.255.255 route <AWS-IP-2> 255.255.255.255 -
This ensures that only traffic destined for those IPs goes through the VPN tunnel, while all other traffic will use the client’s local ISP gateway.
-
2. Route All AWS/Azure Traffic via VPN and Rest via Local ISP
For this, you want to route all AWS or Azure traffic through the VPN and let the rest of the traffic use the client’s local ISP. This is a form of selective split tunneling.
Steps:
-
On PfSense (VPN Server)
- As with the first use case, go to
Firewall>Rules>OpenVPN. - Create firewall rules to route all AWS/Azure traffic through the VPN Gateway (PfSense WAN).
- Use the Destination field to match traffic by AWS or Azure subnets.
- Under Gateway, select VPN Gateway (PfSense WAN).
- Save and apply the changes.
- As with the first use case, go to
-
On OpenVPN Client Configuration
-
Push the appropriate routes for AWS or Azure in the client’s OpenVPN configuration:
For AWS:
route 13.0.0.0 255.0.0.0 # Adjust to the correct AWS IP ranges route 52.0.0.0 255.0.0.0For Azure:
route 20.0.0.0 255.0.0.0 # Adjust to the correct Azure IP ranges -
This will route all traffic destined for AWS/Azure through the VPN, while other traffic will continue via the local gateway.
-
Optional - Use
client-config-dirin OpenVPN ServerYou can also create per-client specific routes using OpenVPN’s
client-config-dirto control routing at the user level.- In the OpenVPN server configuration, specify:
client-config-dir /etc/openvpn/ccd - In the
/etc/openvpn/ccd/<client-name>file, define the routes for AWS/Azure.
-