Only local Traffic through openvpn



  • Hi,

    I'm migrating from a qnap openvpn server to pfsense (road-warrior, not site2site) and I don't know how to configure the following:

    when using qnap's openvpn server I could add
    route-nopull
    route 192.168.178.0 255.255.255.0
    to my openvpn-config and only traffic for that local net went through the tunnel.

    now in pfsense that trick does not work anymore
    I did not check the "Redirect Gateway" checkbox. anywhere else to look at?

    Thanks & KR
    Thomas



  • Hi,

    enter your subnets you want to route over vpn in "Local Network(s)" field. pfSense pushes these route to the client when it is connecting to server.



  • thanks for the suggestion but I already have:
    192.168.178.0/24
    but I get my default-route mangled anyway… :-|
    anywhere else to look at?


  • Netgate

    pfSense works the same as qnap according to your first post.

    Something is setting the default gateway on the client?

    What are the specifics of the client?  Can you post the client config?



  • gnahh
    while compiling all the details to this post I just mentioned that it just works like you described!  :o ;D 8)
    don't know if it was because of a restart of pfsense or what… (I restarted the box several times on the weekend while I was trying)

    I now do get the behaviour that only the "local networks" get routed through the tunnel. I don't get a defaultroute pointing into the tunnel - so I don't have to use route-nopull any more.

    If I would like to let the clients decide (per different configs) if they want only the local subnet to be routed or the defaultroute going through the tunnel: do I have to setup two openvpn-instances in pfsense and check "Redirect Gateway" in one server-config?
    Or can I configure that into one server?

    thank you very much for your help!



  • @crumpr:

    If I would like to let the clients decide (per different configs) if they want only the local subnet to be routed or the defaultroute going through the tunnel: do I have to setup two openvpn-instances in pfsense and check "Redirect Gateway" in one server-config?
    Or can I configure that into one server?

    The "Locale Networks" and "Redirect Gateway" in server config just pushes either the default route or a route to particular subnet(s) to the client.
    You may give your client special configurations on a unique server. You can do this also at server side with "client specific overrides".

    In addition you have to care on server side to allow the traffic and that it is natted correctly when it's going out to the internet.



  • ok, thank you very much for your help viragomann and Derelict!!  :) :) :)



  • just recognized what my problem was:
    I opened the thread when I experienced the same like the guy here: http://askubuntu.com/questions/254031/change-openvpn-clients-default-route
    Ubuntu adds a default-route by itself if you don't check the "use this connection only for resources on this network"

    When I tried to compile the mail with all configs and details I used the commandline client. thats why it worked like expected.

    just for the records.