OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • NAT or Firewal rules for 2xOpenVPN Client connections?
« previous next »
  • Print
Pages: [1]

Author Topic: NAT or Firewal rules for 2xOpenVPN Client connections?  (Read 3219 times)

Gargamel

  • Newbie
  • *
  • Posts: 37
  • Karma: 1
    • View Profile
NAT or Firewal rules for 2xOpenVPN Client connections?
« on: November 02, 2017, 09:35:30 am »
Hi.
I have setup 2 openvpn clients in my opnsense router.
Which is the best way to redirect certain IP's in my LAN side, to go to one openvpn connection, and everything else goes thru the other. And a certain IP or two directly to WAN(xbox, sonos webradio)?

I have tried to setup 2 NAT rules, but this seems to behave strange on my side, such as:
* All goes thru one openvpn.
* None get thru at all.
* Gets thru but webgui of opnsense is blocked.

Usually, it just "stops working" if i make a firewal rule, telling "this ip" should go thru "this openvpn" (when all goes thru the other) for the ip.

So how would i best go around seting this up, so i can easilly specify "all go here, but not x/y/z who goes to there, and H,G goes to WAN"?
Logged

NilsS

  • Full Member
  • ***
  • Posts: 174
  • Karma: 18
    • View Profile
Re: NAT or Firewal rules for 2xOpenVPN Client connections?
« Reply #1 on: November 02, 2017, 10:31:35 am »
Hi,

I think you refer to https://forum.opnsense.org/index.php?topic=4979.msg26514#new

If you connect to a VPN Provider they push a default route to you, so the last VPN you connect to is your default route if you don't prevent that using
Code: [Select]
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
in the advanced section of your VPN client.

Just add this to the connection you don't want your regular traffic over, and use policy routing like you mentioned above.
Be sure to have the rule for the policy routing before your general allow rule

Logged

Gargamel

  • Newbie
  • *
  • Posts: 37
  • Karma: 1
    • View Profile
Re: NAT or Firewal rules for 2xOpenVPN Client connections?
« Reply #2 on: November 02, 2017, 10:38:15 am »
With the
Code: [Select]
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

is the 64.0.0.0 192.0.0.0 meaning to route that lan over "net_gateway", and in each client i have to change "net_gateway" to what the openvpn client is called?
Logged

NilsS

  • Full Member
  • ***
  • Posts: 174
  • Karma: 18
    • View Profile
Re: NAT or Firewal rules for 2xOpenVPN Client connections?
« Reply #3 on: November 02, 2017, 11:29:47 am »
Its just the way to override the defaultgateway from the openvpn page
https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
Logged

Gargamel

  • Newbie
  • *
  • Posts: 37
  • Karma: 1
    • View Profile
Re: NAT or Firewal rules for 2xOpenVPN Client connections?
« Reply #4 on: November 02, 2017, 11:42:29 am »
Okey.
I'll check this when i get home for the weekend.
I know my VPN service uses 10.220.0.0.
So i assume i change one of those lines (or add?) route 10.220.0.0 10.0.0.0 net_gateway?
Logged

robvh

  • Newbie
  • *
  • Posts: 10
  • Karma: 2
    • View Profile
Re: NAT or Firewal rules for 2xOpenVPN Client connections?
« Reply #5 on: November 03, 2017, 08:31:34 pm »
Look at https://forum.opnsense.org/index.php?topic=5921.0
When you add dnat commands to the advanced client properties of your openvpn clients, you can assign alternative route addresses, and two or more gateways that can work simultaneously.  Next you use rules to direct traffic to one of those gateways.
Logged

Gargamel

  • Newbie
  • *
  • Posts: 37
  • Karma: 1
    • View Profile
Re: NAT or Firewal rules for 2xOpenVPN Client connections?
« Reply #6 on: November 04, 2017, 05:59:25 pm »
thanks i think i got it working.
However when i run "dig +short myip.opendns.com @resolver1.opendns.com"
I get a timeout on my workstation that is set to use the other openvpn connection without the public ip.
The server that runs over the public ip openvpn connection can dig and get the correct ip.


Quote from: NilsS on November 02, 2017, 10:31:35 am
Hi,

I think you refer to https://forum.opnsense.org/index.php?topic=4979.msg26514#new

If you connect to a VPN Provider they push a default route to you, so the last VPN you connect to is your default route if you don't prevent that using
Code: [Select]
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
in the advanced section of your VPN client.

Just add this to the connection you don't want your regular traffic over, and use policy routing like you mentioned above.
Be sure to have the rule for the policy routing before your general allow rule
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • NAT or Firewal rules for 2xOpenVPN Client connections?
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2