Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is is possible to set up pfSense with a VPN provider in this "toggleable" way?

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 3 Posters 710 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • anallamaA
      anallama
      last edited by

      I've finally got a pfSense router (locally) working smoothly and consistently the way I'd like, with an OpenVPN server accepting connections from from my mobile phone, and all traffic filtered through pfBlockerNG. I now wanted to add something at the next level, and have the traffic on the outside of the pfBlockerNG firewall be routed through a VPN provider.

      So the first thing I did was purchase a plan from Surfshark, downloaded their app onto my computer, and fired it up. Obviously I've misunderstood a fundamental part of how computer networking works in this context, because my computer, which I naively assumed would still be in some way behind the firewall, was just completely exposed, with nothing being blocked by pfBlockerNG. So I looked around and found there are indeed ways to set up the pfSense router as a VPN client.

      Overall, before I waste my time, I'd like to know if it is possible to have my devices (computer and mobile phone via OpenVPN remote access) all behind my pfBlockerNG firewall, and then have all this traffic routed, on a hopefully simple toggle, either through my local ISP or through the VPN (if I understand correctly, I'd have to set up a separate OpenVPN client profile for each server location I want to use). If so, where should I start looking for instructions on how to do this? Is wireguard an easier method than OpenVPN for this? And is it relatively simple given my already functioning local setup?

      johnpozJ Bob.DigB 2 Replies Last reply Reply Quote 3
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @anallama
        last edited by johnpoz

        @anallama this would be simply policy route to be honest - you can route whatever clients you want through that vpn, or route based upon destination network or IP, or just port or combo of all of that.

        You toggle the policy route, and then everything would go out the normal connection... Keeping in mind that if something was using your normal connection, and then you enabled policy route that should send them out your vpn. You would need to kill all the previous states to stuff your clients were already talking through the normal connection, if you now wanted these connections through the vpn.

        https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html

        I gave you a thumbs up on your first post - you prob want to post in one of the hey I need rep points, or been blocked threads to get you to your 5.. so that hopefully akismet will not bother you again per our PM conversation.

        You might be able to post in here to get some

        https://forum.netgate.com/topic/196191/upvotes That is the latest thread I see asking about upvotes.

        If not start your own thread..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 1
        • Bob.DigB
          Bob.Dig LAYER 8 @anallama
          last edited by

          @anallama said in Is is possible to set up pfSense with a VPN provider in this "toggleable" way?:

          my pfBlockerNG firewall

          The firewall is still pfSense. pfBlocker is only a helper, for creating aliases (optionally with rules) and DNS-blacklists.

          anallamaA 1 Reply Last reply Reply Quote 0
          • anallamaA
            anallama @Bob.Dig
            last edited by

            @Bob-Dig Ah, I see this is one of those many situations where I understand next to nothing. What else is new. Going to have to just set aside a day purely to fry my mind on the documentation.

            @johnpoz I notice in the pfSense setup instructions from SurfShark, both for Wireguard and OpenVPN, I am required to change my DNS servers as one of the final steps, which seems like it would stop me from simply toggling the VPN route on and off, as I'd have to go in and manually change those every time. Probably just another thing I'm completely unaware of?

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @anallama
              last edited by johnpoz

              @anallama guides from many vpn providers are shit - that is the technical term yes..

              Many of them will say you need to use their dns, and will say you have to route everything through them and change your outbound nat to manual.. All of that is nonsense.. You don't need to do any of that..

              Don't pull routes, don't use their dns, and just set hybrid outbound nat and set a nat to the vpn interface you're using to connect to them.

              They may block trying to use any other dns then theirs through the connection, believe nord was intercepting dns - they prob still are..

              But you sure and the hell do not need to route your dns through them or use theirs if you don't want to - have pfsense just use some dot server if you want your dns encrypted, etc.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              anallamaA 1 Reply Last reply Reply Quote 2
              • anallamaA
                anallama @johnpoz
                last edited by

                @johnpoz said in Is is possible to set up pfSense with a VPN provider in this "toggleable" way?:

                and just set hybrid outbound nat and set a nat to the vpn interface you're using to connect to them.

                Can you direct me to the best place to read up on this part specifically?

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @anallama
                  last edited by johnpoz

                  @anallama already linked to policy routing section.

                  Here is example

                  nat.jpg

                  All of my normal networks are just auto - and nat to my normal wan address.. But I have a special nat, that if I route traffic out my vpn interface (ns1vpn) in my case it will nat to that address.

                  Clicky a policy route to send something out my vpn - it does so, toggle that rule off and now back to normal routing and just going out my normal wan.

                  So as example - my normal IP 209.122.x.x out on the internet, then route it out my vpn and I am seen as my vpn exit IP 209.141.x.x.

                  vpn.jpg

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  anallamaA 1 Reply Last reply Reply Quote 1
                  • anallamaA
                    anallama @johnpoz
                    last edited by anallama

                    @johnpoz

                    In your last image, the 192.168.9.100 is the pfsense router address? Can I just select "WAN address" generally rather than specifying the exact IP?

                    anallamaA johnpozJ 2 Replies Last reply Reply Quote 0
                    • anallamaA
                      anallama @anallama
                      last edited by anallama

                      I've got a successful handshake on Wireguard at least (sorry, I'm aware that I've placed this post under OpenVPN, Wireguard setup seems a lot simpler)
                      Screenshot from 2025-06-11 13-59-55.png

                      I'm not sure what the auto-created rules present on mine but missing from yours do.

                      Screenshot from 2025-06-11 13-59-06.png

                      As soon as I enable this rule below, my internet connection stops working. Without it enabled, my IP remains listed as my ISP's.

                      Screenshot from 2025-06-11 14-26-07.png

                      I currently have DoT set up with CIRA servers; I tried setting up the static gateway routing to the VPN endpoint (listed as optional in the documentation), but it did not change that my connection was down. Should I be leaving the default IPv4 gateway as Automatic?

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @anallama
                        last edited by

                        @anallama no that is the IP address of the PC I wanted to policy route out that specific gateway - why would you think that is a pfsense IP.. How would pfsense IP be inbound source address into its own lan interface?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        anallamaA 1 Reply Last reply Reply Quote 0
                        • anallamaA
                          anallama @johnpoz
                          last edited by

                          @johnpoz I'm pretty ignorant of just about everything in networking, that's all I can say

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @anallama
                            last edited by

                            @anallama hahah - ok that explains it then ;)

                            Your default gateway in pfsense should be set to your your normal wan interface that you use for normal isp connectivity.

                            I use openvpn to connect as client to my vpn server, I haven't used wireguard.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            anallamaA 2 Replies Last reply Reply Quote 1
                            • anallamaA
                              anallama @johnpoz
                              last edited by

                              @johnpoz alright I'll try and redo it in OpenVPN, and post my probable failures then 🤤

                              1 Reply Last reply Reply Quote 0
                              • anallamaA
                                anallama @johnpoz
                                last edited by anallama

                                @johnpoz
                                Hey so I actually got this working via OpenVPN for my LAN network on the first try...every device in 192.168.1.0/24 now has the VPN provider's public IP. However, the remote access device connected through my OpenVPN Server (tunnel network 192.168.6.0/24) still has my local IP, even when I add equivalent NAT and firewall rules. What do I need to adjust to also send the remote access device through the VPN client? Do I just assign it an IP on the LAN network range instead?

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.