Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route some internet traffic over VPN over VPN

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      drzoidberg33
      last edited by

      Hey all,

      I'm a bit out of my league here and need assistance.

      Okay, so what I have so far is an OpenVPN server set up on our office pfSense box where the staff can log in remotely to access the office network resources, no internet traffic goes over this link.

      I also now have another OpenVPN client I have setup to a server in Germany, this is added as an interface in pfSense and routing traffic over this VPN works perfectly.

      I now have to route certain websites over this German VPN, this works fine from the office but I want it to work over the office VPN when the staff are connected remotely too.

      Where would I start with this? I would appreciate any help or if somebody could point me to a thread that has info on this would also be much appreciated.

      TIA :)

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Put the same rules on the openvpn server interface that you put on office LAN to redirect certain websites over the VPN client to the server in Germany.

        Make sure the generic OpenVPN tab isn't catching the same traffic (I have taken to just deleting all the rules on the OpenVPN tab since going to assigned openvpn interfaces so I don't have to worry about this.)

        You'll need to add NAT rules for traffic going out the vpn client interface sourced from your openvpn remote access server.

        ![Screen Shot 2014-11-18 at 12.38.31 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-11-18 at 12.38.31 AM.png_thumb)
        pfSense+VPN.png
        pfSense+VPN.png_thumb
        ![Screen Shot 2014-11-18 at 12.38.31 AM.png](/public/imported_attachments/1/Screen Shot 2014-11-18 at 12.38.31 AM.png)
        ![Screen Shot 2014-11-18 at 12.36.45 AM.png](/public/imported_attachments/1/Screen Shot 2014-11-18 at 12.36.45 AM.png)
        ![Screen Shot 2014-11-18 at 12.36.45 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-11-18 at 12.36.45 AM.png_thumb)

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D
          drzoidberg33
          last edited by

          Thanks for the great reply but I'm still a bit lost.

          What does your interface config look like for the OVPN Server? When I added an interface for my OVPN server everything stopped working over that VPN, it connects but no traffic goes through. I've added a the outbound NAT rule and an allow all rule on the firewall (I'll add the specific rules once traffic is flowing).

          My OVPN server network is 10.0.8.0/24.

          I'm a bit confused here, sorry for being such a noob but networks are hard.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            @drzoidberg33:

            Thanks for the great reply but I'm still a bit lost.

            What does your interface config look like for the OVPN Server? When I added an interface for my OVPN server everything stopped working over that VPN, it connects but no traffic goes through. I've added a the outbound NAT rule and an allow all rule on the firewall (I'll add the specific rules once traffic is flowing).

            That's normal and expected.  Open the VPN client config and save it again (or otherwise restart it.)  This always happens when you add the VPN interface assignment.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D
              drzoidberg33
              last edited by

              Still having a battle here.

              I've now just tried to get it so that all internet traffic is routed through the VPN server, but now instead of the traffic going over the default WAN gateway it's going over the VPN client (the German one).

              I added this to my OVPN server:

              push "redirect-gateway def1";
              

              My default gateway is set to WAN0, but I'm getting this in my routes now which I think is causing the issue:

              The 172.27.232.1 gateway is the German OPVN client. The 196.210.116.129 is our local gateway and the one I want the VPN server traffic to go through. I have no idea why it routing traffic through the German VPN now instead of the default gateway.

              Can somebody shine some light on this for me?

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Paid OpenVPN servers usually push you a default route.  If you want to pick and choose what traffic you send over ovpnc3, add route-nopull; to its configuration then use policy routing to send select traffic over it.

                Also I'm not sure what we're looking at.  It looks like we're looking at a pfSense with a client that is getting a default route from it's VPN server but it also has a server defined.  Pushing a default route from that server shouldn't effect the default route on that pfSense but on its clients connected to the defined server.

                You might need to draw a diagram.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.