Route specific websites thru VPN connection



  • i have single wan and single VPN (OpenVPN client) setup on my pfsense 2.1 vm.
    VPN connection is solely for purposes of IPTV from browser.  so basically i want all my normal internet go thru my WAN like it is now and only certain websites to automatically route thru my VPN connection.  I know how to make specific local host to route all traffic to VPN but i dont want to do that as VPN is only for few sites. 
    i looked for information and found this: http://forum.pfsense.org/index.php?topic=38931.0
    but its talking about local vpn client configuration on the computer it self which is not the case for me.



  • I assume that the client OpenVPN on pfSense goes out to some VPN provider server (in some other country…) which is then gets you to the regular internet. And you want to make some LAN clients use that VPN tunnel when accessing certain sites.

    1. Static map the required LAN clients in DHCP Server so you will know what IP addresses they have
    2. Make an alias for the IPs you are giving to those LAN clients - let's call it IPTVallowed
    3. Make an alias with all the IPTV sites you want to access (you should be able to use FQDNs in the alias) - say IPTVsites
    4. Interface->Assign - assign an interface to the OpenVPN client.
    5. Enable the interface, but leave the interface type "none" - OpenVPN will do its stuff under the hood. A gateway should get created for the interface automagically.
    6. Add a rule on LAN, pass protocol all, source IPTVallowed, destination IPTVsites, Gtaeway - the OpenVPN gateway

    You should not need any rules on the OpenVPN interface itself - that would be for traffic initiated from the internet coming in to you, which you don't want to allow.



  • Thank you so much for excellent guide. Worked from first try!



  • @phil.davis:

    I assume that the client OpenVPN on pfSense goes out to some VPN provider server (in some other country…) which is then gets you to the regular internet. And you want to make some LAN clients use that VPN tunnel when accessing certain sites.

    1. Static map the required LAN clients in DHCP Server so you will know what IP addresses they have
    2. Make an alias for the IPs you are giving to those LAN clients - let's call it IPTVallowed
    3. Make an alias with all the IPTV sites you want to access (you should be able to use FQDNs in the alias) - say IPTVsites
    4. Interface->Assign - assign an interface to the OpenVPN client.
    5. Enable the interface, but leave the interface type "none" - OpenVPN will do its stuff under the hood. A gateway should get created for the interface automagically.
    6. Add a rule on LAN, pass protocol all, source IPTVallowed, destination IPTVsites, Gtaeway - the OpenVPN gateway

    You should not need any rules on the OpenVPN interface itself - that would be for traffic initiated from the internet coming in to you, which you don't want to allow.

    I've been trying to get this to work but in reverse and I can't for the life of me figure out why it wont work.  By reverse I mean have all traffic directed through the VPN with specific websites utilizing the WAN.  A good example is that craigslist blocks VPN IP addresses so I want that website to use my WAN IP.  Another example would be for Netflix to use WAN to prevent drops, etc.

    I've had my VPN up and running for some time so no issues there.  I have an alias for my main pc and an alias with my list of websites.  I create a LAN rule where source is my pc alias and destination is my website alias.  Then i have my WAN_DHCP selected in gateway-advanced.  Should this not work or am I missing something?

    Edit:  I also have this VPN bypass rule first in the list


  • Netgate

    If the VPN is sending you a default route, that might override your gateway rules.  Try adding route-nopull; to your VPN client config.  Then you will ignore routes sent to you from the provider and you can determine what gets routed over the VPN tunnel and what doesn't.



  • That did it!  Thank you!



  • Well I jumped the gun on this being fixed.  My IP is till being blocked by Craigslist after the "route no-pull".  I must have landed an IP from my VPN that wasn't on the block list.  What other thoughts do you have as to why I can't bypass the VPN?  What information do I need to provide to help?


  • Netgate

    What are your rules?  The router won't send anything over the VPN that isn't specifically directed over the VPN.



  • Pic attached.  WAN, PIAVPN and OpenVPN have no rules and WLAN has a default allow WLAN net to any rule.  Treadstone has this PC's LAN IP and VPN_Bypass has netflix.com and craigslist.com.




  • Sorry - I have been concentrating on 2.2 forum for a while!
    Those rules should work, and because they cover all IPv4 protocols you should be able to "tracert" (or "traceroute") from "Treadstone" to some IP in VPN_bypass and see what path it takes going out.
    From there, check Diagnostics->Tables and see what IP addresses "pf" thinks are in "Treadstone" and "VPN_bypass"…



  • Has anyone got this setup working? I want to do the same thing and am kind of shocked this is not the default configuration more people are using at home.
    Slight difference on mine is that the traffic into my pFsense box is all coming from the same IP address (it's being used for VPN only and there is a DHCP server/gateway attached to the LAN side of it).



  • You can do this using Squid3 proxy and adding a tcp_outgoing_address configuration directive to the Custom ACL (Before Auth) settings under the proxy server configuration menu. All relevant devices need to be configured to use the proxy server though. Also, if you are assigned a dynamic IP by your VPN provider then you will need to update the squid configuration each time with the new interface IP address.



  • Hi guys, I'm a new pfsense user and I've tried to use the steps on post 2, however I couldn't get the VPN running for some websites that want to go through the VPN.
    After I restart the VPN I loose WAN and VPN connection, it shows VPN down in Status! Is there something else it needs to be done?