Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route all traffic for a VLAN through OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 4 Posters 16.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      Zygote
      last edited by

      So I've set up my OpenVPN client in pfsense which succesfully connects to my OpenVPN server (located off-site). However, I want all traffic to and from a specific VLAN to be routed through that OpenVPN connection and I'm not quite sure how to go about it. I've been reading a couple of guides here and there but they all take different approaches and none of them match my use case. Could anyone give me any pointers?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • G
        gnhb
        last edited by

        I want to do the same thing, but I'm unsuccessful.

        I tried this guide (link below), which said to use Policy based routing in firewall rules, but no packets get through the tunnel. I get "No route to host" when I try to ping the tunnel gateway IP on the openvpn server from VLAN clients, but I can ping it from pfSense.

        I'm not familiar enough with pf to understand policy based routing, or to even dump the rules to check that the GUI got the rule configured correctly.

        Make sure to check "Do Not Pull routes" in the VPN client config on pfSense GUI.

        Link: https://forum.pfsense.org/index.php?topic=91066.0

        1 Reply Last reply Reply Quote 0
        • H
          heper
          last edited by

          1. create an openvpn tunnel (you probably have done that)
          2. assign an interface to your openvpn tunnel (interfaces–>assign)
          3. configure the interface, and set configuration-type to "none"
          4. restart openvpn
          5. create a gateway for your openvpn-interface; only if not done automatically (system–>routing-->gateways)
          6. create firewall rule on "VLAN-XX' and create a PASS * * * gateway: openvpn-GW

          also there are numerous post on this forum that explain it in detail: https://forum.pfsense.org/index.php?topic=29944.0

          1 Reply Last reply Reply Quote 0
          • Z
            Zygote
            last edited by

            @heper:

            1. create an openvpn tunnel (you probably have done that)
            2. assign an interface to your openvpn tunnel (interfaces–>assign)
            3. configure the interface, and set configuration-type to "none"
            4. restart openvpn
            5. create a gateway for your openvpn-interface; only if not done automatically (system–>routing-->gateways)
            6. create firewall rule on "VLAN-XX' and create a PASS * * * gateway: openvpn-GW

            also there are numerous post on this forum that explain it in detail: https://forum.pfsense.org/index.php?topic=29944.0

            Thanks! I got it working. However, I do have one question. I have noticed that the OpenVPN connection at one point disconnected from the VPN server. The VLAN routed through the OpenVPN could still access the internet but now it goes outside the VPN.

            How can I make it so that said VLAN wont get internet access at all if the VPN connection is down? I figured the OpenVPN GW would just drop all traffic not going through the VPN, but that's seemingly not the case as it seems like the traffic is bypassing the openvpn gw when the openvpn connection is down.

            Thanks

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              I like this method:

              https://forum.pfsense.org/index.php?topic=84463.msg463226#msg463226

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.