Route some internet traffic over VPN over VPN



  • Hey all,

    I'm a bit out of my league here and need assistance.

    Okay, so what I have so far is an OpenVPN server set up on our office pfSense box where the staff can log in remotely to access the office network resources, no internet traffic goes over this link.

    I also now have another OpenVPN client I have setup to a server in Germany, this is added as an interface in pfSense and routing traffic over this VPN works perfectly.

    I now have to route certain websites over this German VPN, this works fine from the office but I want it to work over the office VPN when the staff are connected remotely too.

    Where would I start with this? I would appreciate any help or if somebody could point me to a thread that has info on this would also be much appreciated.

    TIA :)


  • Netgate

    Put the same rules on the openvpn server interface that you put on office LAN to redirect certain websites over the VPN client to the server in Germany.

    Make sure the generic OpenVPN tab isn't catching the same traffic (I have taken to just deleting all the rules on the OpenVPN tab since going to assigned openvpn interfaces so I don't have to worry about this.)

    You'll need to add NAT rules for traffic going out the vpn client interface sourced from your openvpn remote access server.

    ![Screen Shot 2014-11-18 at 12.38.31 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-11-18 at 12.38.31 AM.png_thumb)


    ![Screen Shot 2014-11-18 at 12.38.31 AM.png](/public/imported_attachments/1/Screen Shot 2014-11-18 at 12.38.31 AM.png)
    ![Screen Shot 2014-11-18 at 12.36.45 AM.png](/public/imported_attachments/1/Screen Shot 2014-11-18 at 12.36.45 AM.png)
    ![Screen Shot 2014-11-18 at 12.36.45 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-11-18 at 12.36.45 AM.png_thumb)



  • Thanks for the great reply but I'm still a bit lost.

    What does your interface config look like for the OVPN Server? When I added an interface for my OVPN server everything stopped working over that VPN, it connects but no traffic goes through. I've added a the outbound NAT rule and an allow all rule on the firewall (I'll add the specific rules once traffic is flowing).

    My OVPN server network is 10.0.8.0/24.

    I'm a bit confused here, sorry for being such a noob but networks are hard.


  • Netgate

    @drzoidberg33:

    Thanks for the great reply but I'm still a bit lost.

    What does your interface config look like for the OVPN Server? When I added an interface for my OVPN server everything stopped working over that VPN, it connects but no traffic goes through. I've added a the outbound NAT rule and an allow all rule on the firewall (I'll add the specific rules once traffic is flowing).

    That's normal and expected.  Open the VPN client config and save it again (or otherwise restart it.)  This always happens when you add the VPN interface assignment.



  • Still having a battle here.

    I've now just tried to get it so that all internet traffic is routed through the VPN server, but now instead of the traffic going over the default WAN gateway it's going over the VPN client (the German one).

    I added this to my OVPN server:

    push "redirect-gateway def1";
    

    My default gateway is set to WAN0, but I'm getting this in my routes now which I think is causing the issue:

    The 172.27.232.1 gateway is the German OPVN client. The 196.210.116.129 is our local gateway and the one I want the VPN server traffic to go through. I have no idea why it routing traffic through the German VPN now instead of the default gateway.

    Can somebody shine some light on this for me?


  • Netgate

    Paid OpenVPN servers usually push you a default route.  If you want to pick and choose what traffic you send over ovpnc3, add route-nopull; to its configuration then use policy routing to send select traffic over it.

    Also I'm not sure what we're looking at.  It looks like we're looking at a pfSense with a client that is getting a default route from it's VPN server but it also has a server defined.  Pushing a default route from that server shouldn't effect the default route on that pfSense but on its clients connected to the defined server.

    You might need to draw a diagram.