OpenVPN Route



  • Is is possible to setup the OpenVPN client to force a single IP on the next work to flow through it?  If so, how is this done?  Everything I have found reroutes all traffic (which I still couldn't get to work right…).



  • Can you clarify a little more please. Did you mean that after you establish a VPN tunnel to pfesense you want all traffic generated after the tunnel has been established to then go through the tunnel? But leave all existing routes(traffic) to stay the way it was?



  • Not quite.  I want to have the router be the OpenVPN client, but only use that tunnel for once PC on the network, and bypass the tunnel for all other PCs.  Does that help?



  • Just trying to understand your setup -

    Is OpenVPN client or OpenVPN server (or both) running under pfsense?

    If the client is running pfsense, you should be able to use firewall rules to limit access to the remote subnet to a single IP address on the client's LAN.



  • pFsense is running OpenVPN client.  Here is my goal:

    Internet <-> OpenVPN Client <-> LAN <->PC #1
                  |
                <-> SAME LAN AS ABOVE <-> Other PCs

    Not sure if all those are in the correct order.  So I just want in/out traffic to the outside world passed through the OpenVPN tunnel for a single IP address.  What exactly has to happen for me to do that?  Do I have to put it on another subnet?



  • Your diagram looks a little odd to me as I don't see where the pfsense box resides.

    Did you mean: (?)

    Internet <-> WAN-[pfsense w/OpenVPN Client] <-> LAN <->PC #1
                                                                                        |
                                                                                        <-> SAME LAN AS ABOVE <-> Other PCs

    I'm guessing your OpenVPN client connects to some other network LAN/subnet and you only want PC#1 to have access to that network.  All you need is a firewall rule under LAN checking for PC#1's IP address and allowing access to the OpenVPN network.  You can even use a blocking rule that says if the LAN IP is NOT PC#1's IP address, then block access to the OpenVPN network followed by a rule that allows all OpenVPN access.

    A lot of the rule setup depends on how and why you're trying to limit access.

    Some more information about what OpenVPN network you're actually connecting to or your need to limit access would be helpful.



  • okay, what your trying to do can be done but, also are you trying to isolate this client away from you LAN?

    ex: you have pc 2,3,4 on your pan and they can talk to each other but pc 1(on vpn network) cannot talk to pc 2,3,4
    or
    ex you have pc 1,2,3,4 on your pan but pc 2,3,4 use your local gateway for internet access and pc 1 uses the tunnel?

    if your trying to use example 2 then you'll have to do this in you rules on your LAN, make a rule at the top saying
    allow:any from source:pc1 on port:any to destination:any on port:any
    and in the advanced settings you'll have to set the gateway as the tunnels remote gateway to force it to the other network.

    if you want to isolate it like in example 1 then theres a whole other part to that setup.



  • Yes, that is correct.  I am going for example 2.  I have tried several tutorials and have been unable to get the VPN to work correctly (seems to be connected, but not yet working).  Still trying to figure out why.  I will post back and after I have a question to ask.



  • The problem was on the server side and kept me busy for quite some time.  Everything is working the way it should.  The only other thing I would like to do is when the the VPN goes down, I would like the PC that is using the VPN to not use the WAN connection.  It should only be able to go through the VPN tunnel.



  • How would I do that?



  • Add an additional rule to LAN interface underneath the one that directed PC #1 over VPN, that blocks any traffic from this PC to anywhere.
    If you have additional subnets on other interfaces that should be accessible you have to exclude this.

    This rule is applied only if VPN id down.