SOLVED: Routing SOME traffic / static IPs through OpenVPN (over PIA)
-
Running pfSense virtualized. Had to start from scratch due to what is probably a simple issue for some out there.
Trying to route some traffic through OpenVPN. Tried different guides before but always ran into the same issue being that ALL of my traffic was going over my VPN. I would like only SPECIFIC IPs to use the VPN while all other traffic goes over the regular WAN connection. Just found this guide: http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/ which seems informative however it seems to be written up to route all traffic through the VPN and as an afterthought has the "some traffic" aspect written towards the end.
He states that "device specific rules need to be before the rules (on top) we’ve just created. Pfsense interprets rules from top to bottom. If it matches a rule, it will automatically stop processing the ruleset and execute it."
I am hesitant to just try setting it up this way due to the hours lost in my previous attempts. If I were to setup using this guide, would only specific IPs be directed over the VPN or would I run into the same issue?
Thank you for your time.
-
I haven't looked at the guide. But once you have the OpenVPN established, assigned as an interface and enabled then pfSense makes you a gateway for the OpenVPN link. Then:
a) Make an Alias listing all the specific IPs you want to send to OpenVPN - e.g. call it "OVPN_hosts"
b) Put a pass rule at the top of your LAN rules with protocol any, source OVPN_hosts, destination any, gateway openvpn_GW
c) After that, put a general pass rule - protocol any source LANnet destination any no gateway - to let the rest of the traffic pass to the normal routing table and out the ordinary WAN. -
SOLUTION: Instructions on how to route specific LAN IP traffic through PIA via OpenVPN on pfSense
-
Download ca.crt key from https://www.privateinternetaccess.com/openvpn/openvpn.zip
-
Locate the file ca.crt, SSH to your pfSense server and cd to /etc. First copy the ca.crt to the /etc folder. Then create a file “openvpn-password.txt” with two lines, one for your PIA userid, the other for your password. Set 0600 permissions on both of these files e.g. “chmod 0600 /etc/ca.crt” and “chmod 0600 /etc/openvpn-password.txt”. You can exit SSH at this point.
-
In pfSense’s webConfigurator:
Click System - Cert Manager
-
On the CA tab, click +, type a description (e.g. Internal CA) using method “Create an internal Certificate Authority”, Reduce Lifetime to 1825 days (based on some posts that say leaving 10 year default causes issues) and fill in the Distinguished Name pieces as you see fit. Then click Save.
-
Now click on the Certificates tab, click +, select method “Create an internal certificate”, type a description (e.g. PIA OVPN), Reduce Lifetime to 1825 days, and select type “Certificate Authority.” Click Save.
Click VPN - OpenVPN
-
Select the Client tab and click the + icon and change the following settings, the rest remains at the default:
-
Server Host or Address: The Hostname of the PIA server used found: https://www.privateinternetaccess.com/pages/network/ e.g. us-east.privateinternetaccess.com
-
Check the Infinitely Resolve Server box.
-
Enter a Description (e.g. “Private Internet Access OpenVPN”)
-
Uncheck “Enable authentication of TLS packets”
-
Peer Certificate Authority: Internal CA
-
Client Certificate: PIA OVPN
-
Encryption Algorithm: BF-CBC (128-bit)
-
Check “Compress tunnel packets using the LZO algorithm”
-
Enter the following for Advanced at the bottom:
auth-user-pass /etc/openvpn-password.txt
ca /etc/ca.crt -
Click Save
-
Click Status - OpenVPN. The status should be "up" with your IP information listed. It may take 15-30 seconds to establish the connection. Click Status - System Logs - OpenVPN to troubleshoot if the connection does not come up.
-
Click Interfaces - Assign, click the + icon. A new interface should automatically populate with a network port of opvnc1, most likely with a name of OPT1.
-
Click Interfaces - OPT1
-
Enable the interface by placing a check in the box.
-
Enter a more apt description (e.g. change OPT1 to PIA)
-
Click Save
-
Click Firewall - NAT, then select the Outbound tab. Click the “Manual Outbound NAT rule generation” radio button and click Save.
-
Click Firewall – LAN, then edit the IPv4* and IPv6* Gateway to WAN_DHCP and WAN_DHCP6 respectively and click Save
-
Click Firewall – Aliases, then click the + icon (under the IP tab) to create a new alias. As mentioned above, Name it OVPN_hosts, Type Host(s) and add all IPs you want to pass over the PIA VPN, then click Save
-
Click Firewall - Rules and select the LAN tab
-
Click the click the + icon to create a new rule.
-
Protocol: Any
-
Source, Type: Single host or alias
-
Address: OVPN_hosts
-
Description: PIA VPN Rule
-
Gateway: Advanced, choose PIA
-
Click Save
-
Verify the rule you just created is listed ABOVE the Default Allow LAN to Any rules. Rules are processed from top to bottom. If necessary, move the rule to the top.
-
-
-
Click Firewall - NAT, then select the Outbound tab. Click the “Manual Outbound NAT rule generation” radio button and click Save.
-
Click Firewall – LAN, then edit the IPv4* and IPv6* Gateway to WAN_DHCP and WAN_DHCP6 respectively and click Save
These steps will not do any harm, but should not be needed.
a) Choosing Manual Outbound NAT and then not modifying/adding/removing any of the NAT rules means that it will in effect do exactly the same as Automatic would have done.
b) I presume this means "edit the default LAN to any rules and set the IPv4* and IPv6* Gateway to…" - those WAN GWs should already be the default route anyway. So the original rule should be already doing the required thing. -
-
I did something similar, but a little cleaner (see below), but I have an issue. I want to force the traffic from 192.168.0.111 to go through the VPN, and if the VPN is not connected, then that IP should not have internet access.
My settings:
-
In VPN/OpenVPN/Client/Advanced configuration, I've added route-nopull, which defaults all traffic to the WAN vs the VPN
-
In Firewall/NAT/Outbound, I've got a rule for source 192.168.0.111/32 for interface VPNI (attached to VPN client)
-
In Firewall/Rules/LAN, I've got a rule with source 192.168.0.111 using gateway VPNI which forces that IP through the firewall
-
Underneath that rule, I have the standard allow rule for all traffic through (default gateway)
My problem is, if the VPN goes down (simulated by changing the host to a bad host), 192.168.0.111 gets through the WAN interface. I want it to be blocked if the VPN is not running.
I've tried adding LAN rules to block, putting an if source not 192.168.0.111 on the last LAN rule, etc. Nothing seems to work. It either ends up blocking traffic for every IP, or allowing the host through without the VPN.
Any thoughts?
Thanks,
Ben -
-
I think you need to check System: Advanced: Miscellaneous, "Skip rules when gateway is down":
By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down
pfSense is being nice to you, and making a rule to send your VPN traffic out the default gateway.
Then, IMHO, you will still need a block rule, after the rule feeding 192.168.0.111 to VPNI, and before the general allow all rule, that blocks traffic from source 192.168.0.111 -
I think you need to check System: Advanced: Miscellaneous, "Skip rules when gateway is down":
By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down
pfSense is being nice to you, and making a rule to send your VPN traffic out the default gateway.
Then, IMHO, you will still need a block rule, after the rule feeding 192.168.0.111 to VPNI, and before the general allow all rule, that blocks traffic from source 192.168.0.111Had to upgrade to 2.1 from 2.0.3, but this worked like a charm. Thanks!
-
Thought I would share a bit of my experiences if it might help someone out. I created my own OpenVPN server on an Ubuntu 12.04LTS Server box. I put it in my parents house in the US as I currently reside in Canada but wanted US content. While I followed the examples above I still ran into a few issues which I had to overcome. The main one relevant to this post is that my Canadian DNSs didn't work over my US OpenVPN. So I just added both the Google DNSs. I also had to add the "route-nopull" to the advance portion of the OpenVPN Client interface. Additionally, and a little less relevant to this post, was I had the following errors come up in my OpenVPN when I was trying to connect:
Oct 12 19:57:45 openvpn[21699]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1528', remote='link-mtu 1544' Oct 12 19:57:45 openvpn[21699]: WARNING: 'cipher' is used inconsistently, local='cipher [null-cipher]', remote='cipher BF-CBC' Oct 12 19:57:45 openvpn[21699]: WARNING: 'keysize' is used inconsistently, local='keysize 0', remote='keysize 128'Thus I also had to add the following to the Advance portion of the client setup
keysize 128; link-mtu 1544;and change my cipher. So the moral of that is look at your log file. it'll help.
-
Hi All,
Having some issues with this setup. It looks like my VPN isn't connecting properly and i'm not sure why. In Status -> OpenVPN it shows that it's connected and when selecting the Gateway in my Firewall Rules its showing the OpenVPN IP next to it, but it doesn't seem to be routing the traffic properly, as i lose internet connectivity when routed through it.
I attempted to first route just that one IP and that didn't work, then i attempted ALL of my connections and that also didn't work. Can you give me some advice? I can provide logs or configs if you'd like to see.
-
I've tried adding LAN rules to block, putting an if source not 192.168.0.111 on the last LAN rule, etc. Nothing seems to work. It either ends up blocking traffic for every IP, or allowing the host through without the VPN.
I put this floating rule on WAN out on all my installations. There is simply never any legitimate reason to allow RFC1918 addresses to egress your WAN. Apply action immediately (quick) is checked.
You could use the same technique on the source IP/Network that you never want to allow out (if I'm understanding the problem correctly.) And floating rules allow you to select multiple interfaces so I have mine on LAN and DSL so it catches even if multiwan swings over for some reason.
 -
If someone could assist me with this I am happy to pay. I have to force specific traffic destined for internet to go to internet via the openvpn tunnel. Is there someone that can assist with this? Happy to pay if you know how to do this.
-
Hi All,
Having some issues with this setup. It looks like my VPN isn't connecting properly and i'm not sure why. In Status -> OpenVPN it shows that it's connected and when selecting the Gateway in my Firewall Rules its showing the OpenVPN IP next to it, but it doesn't seem to be routing the traffic properly, as i lose internet connectivity when routed through it.
I attempted to first route just that one IP and that didn't work, then i attempted ALL of my connections and that also didn't work. Can you give me some advice? I can provide logs or configs if you'd like to see.
Hi, I realise this is an old post, but wondering if you ever found out what was your problem? I am having exactly the same situation. I have set up the OpenVPN Client whose status says connected, the gateway, and NAT and Firewall rules. I set one machine via its IP address to route through the VPN tunnel, but nothing gets routed. Same if I try to route the whole subnet. The Gateway monitoring status shows as "Offline" but when selecting in the Firewall rules it does show the OpenVPN IP. In my case I'm using Witopia as VPN provider but I suspect that's not the issue.
-
Please start a new thread for your problem. Locking this one to prevent further necro.
