Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Selective pfSense OpenVPN client usage i.e. for certain websites, how?

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tontoOz
      last edited by

      I want to set up pfSense to be used as a VPN client for a VPN provider such as NordVPN or similar. Presumably the steps in this forum provided for other VPN providers such as StrongVPN will help me to do that.

      However, I only want to route specific traffic via OpenVPN, e.g. all URLs associated with www.example1.com, www.example2.com etc to go through the OpenVPN client but for other traffic not to use the pfSense OpenVPN client. So this won't be specific to any LAN client but will apply to all LAN clients for all URLs of specific domains. Is there a way to do that? Please advise.

      Also, I know there is a web browser plugin from EFF but is there a way to make pfSense force websites to use https to the web browsers where https is supported by the website(s) in question?

      I would also like the pfSense box to provide NAT and SPI protection for the LAN clients.

      1 Reply Last reply Reply Quote 0
      • kesawiK
        kesawi
        last edited by

        Add the following to the Custom ACLS (Before Auth) under Advanced Features in Proxy Server: General Settings where _<vpn_interface_ip></vpn_interface_ip>_is the IP address of your OpenVPN client interface (eg 172.20.20.1):

        ##Send specific destinations via VPN
acl dst_to_vpn dstdomain .example1.com .example2.com
tcp_outgoing_address <vpn_interface_ip>dst_to_vpn</vpn_interface_ip>

        You can also use regular expressions as well. Eg if you wanted www.example.com, www.example.org, www.example.net, etc. to go via the VPN

        ##Send specific regex destinations via VPN
acl dst_to_vpn_regex dstdom_regex -i \.example\.
tcp_outgoing_address <vpn_interface_ip> dst_to_vpn_regex</vpn_interface_ip>

        Note that this only works with a static IP on your OpenVPN client interface.

        1 Reply Last reply Reply Quote 0
        • T
          tontoOz
          last edited by

          @kesawi:

          Note that this only works with a static IP on your OpenVPN client interface.

          Many VPN providers e.g. NordVPN specify the dns name of the server e.g. br1.nordvpn.com rather than the actual IP address of the VPN server.
          For sure, I can get the IP address by doing an nslookup, which in the case of this NordVPN would give an IP address of 181.41.210.93 but there must be a reason that VPN providers specify the DNS name of the server?

          Could someone please clarify or advise how the name of the server can be used instead of the IP address in the above example?

          https://nordvpn.com/servers/

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            @tontoOz:

            Could someone please clarify or advise how the name of the server can be used instead of the IP address in the above example?

            Completely unrelated to this thread but Server host or address in the OpenVPN client config takes a hostname or IP address.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.