Internet Through OpenVPN GW ONLY (Fail to no Internet)



  • Hey guys, I have tried searching but could not find the exact answer to this. So i have a dedicated public IP for this scenario and a dedicated PFsense instance. Currently I have an OpenVPN setup and I have all traffic routing through this VPN so any client pointed to the firewall is accessing the Internet through the VPN.

    What I really want is if the VPN fails for some reason, the Internet connection goes down. As of right now if I stop the OpenVPN service the Internet still works for clients but is using my real IP address.

    Every time I put a rule in place that blocks traffic from the Lan it blocks it whether or I am connected to the VPN or not.

    Is there a way to prevent the WAN interface from talking to anything but my OpenVPN IP address?

    Sjgieson



  • @sjgieson:

    Hey guys, I have tried searching but could not find the exact answer to this.

    You can find the answer in OpenVPN area of this forum.

    In short, pfSense only permits traffic that is allowed by rules. So you can reach this by modify the "allow everything to anywhere" rule on LAN tab, go down to advanced settings > gateway and select your VPN gateway. Then traffic is permitted over VPN only.



  • Thanks for the reply, I am configured this way already. However if I kill OpenVPN even though this is my only lan rule (vpn gw specified), it still flows out the default gateway.

    Best I can tell this is a bug in the firewall portion not the OpenVpn…



  • Well, looking over the documentation again, I thought I would try altering the outbound nat rules. I wound up with the below only allowing the source port of the OpenVPN connection to NAT through the WAN interface. This does the trick…

    Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
    add
    VPN1  x.x.x.0/24 * * * VPN1 address * NO VPN Bound 
    edit
    delete duplicate
    WAN  x.x.x.0/24 1194 * * WAN address * NO WAN BOUND