Selective pfSense OpenVPN client usage i.e. for certain websites, how?



  • I want to set up pfSense to be used as a VPN client for a VPN provider such as NordVPN or similar. Presumably the steps in this forum provided for other VPN providers such as StrongVPN will help me to do that.

    However, I only want to route specific traffic via OpenVPN, e.g. all URLs associated with www.example1.com, www.example2.com etc to go through the OpenVPN client but for other traffic not to use the pfSense OpenVPN client. So this won't be specific to any LAN client but will apply to all LAN clients for all URLs of specific domains. Is there a way to do that? Please advise.

    Also, I know there is a web browser plugin from EFF but is there a way to make pfSense force websites to use https to the web browsers where https is supported by the website(s) in question?

    I would also like the pfSense box to provide NAT and SPI protection for the LAN clients.



  • Add the following to the Custom ACLS (Before Auth) under Advanced Features in Proxy Server: General Settings where _<vpn_interface_ip></vpn_interface_ip>_is the IP address of your OpenVPN client interface (eg 172.20.20.1):

    ##Send specific destinations via VPN
    acl dst_to_vpn dstdomain .example1.com .example2.com
    tcp_outgoing_address <vpn_interface_ip>dst_to_vpn</vpn_interface_ip> 
    

    You can also use regular expressions as well. Eg if you wanted www.example.com, www.example.org, www.example.net, etc. to go via the VPN

    ##Send specific regex destinations via VPN
    acl dst_to_vpn_regex dstdom_regex -i \.example\.
    tcp_outgoing_address <vpn_interface_ip> dst_to_vpn_regex</vpn_interface_ip>
    

    Note that this only works with a static IP on your OpenVPN client interface.



  • @kesawi:

    Note that this only works with a static IP on your OpenVPN client interface.

    Many VPN providers e.g. NordVPN specify the dns name of the server e.g. br1.nordvpn.com rather than the actual IP address of the VPN server.
    For sure, I can get the IP address by doing an nslookup, which in the case of this NordVPN would give an IP address of 181.41.210.93 but there must be a reason that VPN providers specify the DNS name of the server?

    Could someone please clarify or advise how the name of the server can be used instead of the IP address in the above example?

    https://nordvpn.com/servers/


  • LAYER 8 Netgate

    @tontoOz:

    Could someone please clarify or advise how the name of the server can be used instead of the IP address in the above example?

    Completely unrelated to this thread but Server host or address in the OpenVPN client config takes a hostname or IP address.


Log in to reply