Multiple OpenVPN connections, routing based on country or rule set



  • Hello,

    New to PfSense.  Longtime user of Tomato/DD-WRT.  Had a question for you experts out there that I am at a loss on how to solve.  I am using Private Internet Access.  I followed this guide: http://goo.gl/S3BsZ  to setup my OpenVPN connection.

    I would like the ability to set up multiple OpenVPN connections to servers in different countries.  For example, A would be US, B would Canada, and C would be UK.  I would then like to set up rules based on GeoIP to determine which connection should be used when I am online.  If the website or service is in country A, it should use VPN connection A, if in B, then use B and so on.  Default would be A. I would also like the ability to exclude either specific traffic/IPs from the VPN (for example my Cisco SPA2102 or Slingbox)

    Could someone kindly point me in the right direction or perhaps suggest a solution to accomplish same? I found the following information but couldn't translate it to pfSense so well: http://goo.gl/eGvVu  and http://goo.gl/BBUun

    Much appreciated.


  • Rebel Alliance Developer Netgate

    You can use pfBlocker and its country lists to get aliases that correspond to IPs in various countries, and then use policy routing to direct traffic into the VPN you want based on those aliases.

    Both of those topics have been discussed many times on the forum – separately -- so you can likely find thorough instructions if you search for pfBlocker for the country part, and then a separate search for OpenVPN connecting to a service provider and using policy routing (look at the threads for things like StrongVPN).



  • Thank you Jim for the reply.  I have tried over the last while to figure it out and unfortunately cannot.

    While I realize Jim is probably busy editing the new edition of the book, if someone else out there can handhold me a little more, it would be appreciated.



  • I see you posted a freelancers job to configure this and some additional items. We'd be glad to help with that via our commercial support. We can't ever commit to an exact price for a given job because the exact same job can vary a lot from one customer to another because our level of involvement varies. All the jobs along the lines of what you listed have been doable within our base 5 hour support subscription, though at times scope changes along the way. It's something we could have done within a business day if you purchase here.
    https://portal.pfsense.org/index.php/subscribe-for-access

    You can probably find cheaper alternatives, unknown people with unknown skills located who knows where. But trust me…save yourself some headaches and come to the world's foremost experts. We fix a lot of what random freelancers "implement", and have plenty of customers who wish they had just come to us in the first place rather than wasting their money and time with some freelancer.



  • Chris,
    I want to thank you for all your hard work in furthering pfSense to what it is today.  What an extremely powerful and useful solution.
    For a home user like myself,  the support option is pricey to say the least.  My system to date has cost under $400 running an Atom based board and Ubiquiti Unifi AP Pro.  I'm positive someone with the requisite knowledge could solve my issues in a relatively short period of time.  Spending $600 though is out of my budget and the reason why I came to the forum.  I bought The Book of PF, pfSense 2 Cookbook, and your Definitive Guide and still was having difficulty solving my issues on my own.  
    My plan was to use either freelancer or elance to try and get someone to solve them then post up the solution here for whomever wanted the same setup.  
    I would wholeheartedly trust the world's foremost pfSense experts but unfortunately I just don't have the budget at present to support that option.


Log in to reply