Hi,
I would like to route specific domains via a vpn site.
OpnSense runs my Wireguard server which has a WG client (site) connected to it.
I then create a Firewall - Alias:
- Name: Proxied
- Type: Host(s)
- Content: domain.com
I'm not sure what the next steps would be, but I tried:
adding a Firewall - NAT - Outbound rule
- Iface: WAN
- Destination: Proxied
- (I tried translation to WG site adress / router)
adding a Firewall Rule - Rules - WAN:
- iface: WAN
- direction: out
- destination: proxied
- gateway: site router address
traceroute shows that the domain gets catched but it refuses to go over the VPN;
can anyone here tell me how to achieve this routing? Thank you!
Not sure if I understand correctly what you want to achieve, but I assume you want to route HTTP traffic for certain websites via a different site (to connect to the HTTP server using a different public IP).
I assume the VPN tunnel is not foreseen to have other IP addresses than internal ones (local net and remote net are typically private IPs), but the domain.com resolves to a public IP which is not part of the tunnel network.
If so, then extend your VPN tunnel ranges.
If I'd get the task, I'd do it a slightly other way:
- Override the DNS entry of domain.com on the local OPNsense instance to any IP internal address which can traverse the VPN
- On the remote side make sure to have a outbound NAT rule which matches also the local LAN (not only the remote LAN)
Quotebut I assume you want to route HTTP traffic for certain websites via a different site
totally correct.
I would like to keep my Adguard DNS out of play here, I think this should be doable with routes and aliases?
I just have no experience where to put the rule?
WAN?
Floating?
LAN?
In the meantime I added the remote site Gateway in Opnsense, "Far Gateway" is set.
I can now use this gateway for my rules, just need to try till I get it working...
The connection to domain.com is already caught by Opnsense but
traceroute domain.com does not leave OpnSense to the remote site yet
Can you share your VPN configuration? Especially the networks in the tunnel.
there's really not much to the VPN config,
local lan is 10.0.57.0/24
OPNSense is 10.0.57.1/32,
WG server resides on 10.0.59.1,
Site 1 is PTP connected as 10.0.59.2/32
Site 1 has routes for my Lan (10.0.57.0/24 via 10.0.59.2 on 10.0.55.4)
I sure will share my config if you need specifics but the whole config has too much sensible info to it :D
Make sure Client and OPNsense are using the same DNS Server
Create a Gateway with the Remote VPN Tunnel IP
Create an Alias with the FQNDs you want to route.
Create a Firewall Rule on the first Interface where the traffic matches (normally LAN) (rule must be before your normal Allow Rule) with
Source; Interface Network
Destination: the created Alias
Gateway: The created Gateway
EDIT: attached my full config, maybe someone can spot the culprits.
QuoteMake sure Client and OPNsense are using the same DNS Server
I use different DNS Servers in each site (adguard home in local lan on 10.0.57.28, google 8.8.8.8 on site1), is there a reason why they should use the same? Edit: Oh, I guess you mean the lan client and opnsense - yes they all point to my local adguard home server (10.0.57.28)
QuoteCreate a Gateway with the Remote VPN Tunnel IP
Did that - Gateway pointing to 10.0.55.254 (site 1 router), enabled "far gateway" because the subnet is not my local lan ofc. Should I make use of Virtual IPs?
QuoteCreate an Alias with the FQNDs you want to route.
Did that. Alias with Host(s) "domain.com"
QuoteCreate a Firewall Rule on the first Interface where the traffic matches (normally LAN) (rule must be before your normal Allow Rule) with
Did that, put a rule on LAN,
Source: LAN net
Direction: in
Gateway: Site1 - 10.0.55.254 (Site 1 Router)
I can see the rule in effect in the Logs but it only shows UDP data packets.
Traceroute shows that the requests do not leave Opnsense however...
traceroute domain.com
traceroute to domain.com (xx.xx.xx.xx), 64 hops max
1 10.0.57.1 2,601ms 1,650ms 1,371ms
2 10.0.57.1 1,531ms 1,429ms 1,193ms
3 * * *
4 10.0.57.1 1,880ms !H 1,483ms !H 1,412ms !H
Will make a backup and share it here, seems there is something fishy in my config...
Thank you guys!!