Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Route

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 4 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmwachtel
      last edited by

      Is is possible to setup the OpenVPN client to force a single IP on the next work to flow through it?  If so, how is this done?  Everything I have found reroutes all traffic (which I still couldn't get to work right…).

      1 Reply Last reply Reply Quote 0
      • H
        HC
        last edited by

        Can you clarify a little more please. Did you mean that after you establish a VPN tunnel to pfesense you want all traffic generated after the tunnel has been established to then go through the tunnel? But leave all existing routes(traffic) to stay the way it was?

        1 Reply Last reply Reply Quote 0
        • J
          jmwachtel
          last edited by

          Not quite.  I want to have the router be the OpenVPN client, but only use that tunnel for once PC on the network, and bypass the tunnel for all other PCs.  Does that help?

          1 Reply Last reply Reply Quote 0
          • D
            divsys
            last edited by

            Just trying to understand your setup -

            Is OpenVPN client or OpenVPN server (or both) running under pfsense?

            If the client is running pfsense, you should be able to use firewall rules to limit access to the remote subnet to a single IP address on the client's LAN.

            -jfp

            1 Reply Last reply Reply Quote 0
            • J
              jmwachtel
              last edited by

              pFsense is running OpenVPN client.  Here is my goal:

              Internet <-> OpenVPN Client <-> LAN <->PC #1
                            |
                          <-> SAME LAN AS ABOVE <-> Other PCs

              Not sure if all those are in the correct order.  So I just want in/out traffic to the outside world passed through the OpenVPN tunnel for a single IP address.  What exactly has to happen for me to do that?  Do I have to put it on another subnet?

              1 Reply Last reply Reply Quote 0
              • D
                divsys
                last edited by

                Your diagram looks a little odd to me as I don't see where the pfsense box resides.

                Did you mean: (?)

                Internet <-> WAN-[pfsense w/OpenVPN Client] <-> LAN <->PC #1
                                                                                                    |
                                                                                                    <-> SAME LAN AS ABOVE <-> Other PCs

                I'm guessing your OpenVPN client connects to some other network LAN/subnet and you only want PC#1 to have access to that network.  All you need is a firewall rule under LAN checking for PC#1's IP address and allowing access to the OpenVPN network.  You can even use a blocking rule that says if the LAN IP is NOT PC#1's IP address, then block access to the OpenVPN network followed by a rule that allows all OpenVPN access.

                A lot of the rule setup depends on how and why you're trying to limit access.

                Some more information about what OpenVPN network you're actually connecting to or your need to limit access would be helpful.

                -jfp

                1 Reply Last reply Reply Quote 0
                • H
                  HC
                  last edited by

                  okay, what your trying to do can be done but, also are you trying to isolate this client away from you LAN?

                  ex: you have pc 2,3,4 on your pan and they can talk to each other but pc 1(on vpn network) cannot talk to pc 2,3,4
                  or
                  ex you have pc 1,2,3,4 on your pan but pc 2,3,4 use your local gateway for internet access and pc 1 uses the tunnel?

                  if your trying to use example 2 then you'll have to do this in you rules on your LAN, make a rule at the top saying
                  allow:any from source:pc1 on port:any to destination:any on port:any
                  and in the advanced settings you'll have to set the gateway as the tunnels remote gateway to force it to the other network.

                  if you want to isolate it like in example 1 then theres a whole other part to that setup.

                  1 Reply Last reply Reply Quote 0
                  • J
                    jmwachtel
                    last edited by

                    Yes, that is correct.  I am going for example 2.  I have tried several tutorials and have been unable to get the VPN to work correctly (seems to be connected, but not yet working).  Still trying to figure out why.  I will post back and after I have a question to ask.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jmwachtel
                      last edited by

                      The problem was on the server side and kept me busy for quite some time.  Everything is working the way it should.  The only other thing I would like to do is when the the VPN goes down, I would like the PC that is using the VPN to not use the WAN connection.  It should only be able to go through the VPN tunnel.

                      1 Reply Last reply Reply Quote 0
                      • J
                        jmwachtel
                        last edited by

                        How would I do that?

                        1 Reply Last reply Reply Quote 0
                        • V
                          viragomann
                          last edited by

                          Add an additional rule to LAN interface underneath the one that directed PC #1 over VPN, that blocks any traffic from this PC to anywhere.
                          If you have additional subnets on other interfaces that should be accessible you have to exclude this.

                          This rule is applied only if VPN id down.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.