Text only | Text with Images

OPNsense Forum

English Forums => 25.1, 25.4 Production Series => Topic started by: mbonny on March 16, 2025, 09:48:40 AM

Title: Policy Based Route (VPN Based Gateway)
Post by: mbonny on March 16, 2025, 09:48:40 AM
Dear All,

I am having some trouble configuring OPNSense, I have tried for a few hours (and learned a lot) but still cannot figure this out.

Goal: Establish multiple OpenVPN instances in different countries. Then using firewall rules, direct traffic out the correct gateway.

I have:
Signed up for a VPN Provider (PIA), and established 'client' tunnels
Assigned Interfaces to the ovpncX devices
Created alias for specific IP addresses
Created alias for specific websites
Created Outbound NAT rules to match the Alias (source)
Created Firewall rules to match the alias, change the gateway to the _VPNV4 gateway


What works?
So I can get a specific device on my LAN (matched to Alias) to send all traffic out the desired gateway (nice!)

What isnt working?
I cant get specific URL's to go via any gateway
EG: Try send 'whatismyip.com' out of the PIACAMBODIA_VPNV4 gateway

I have checked the logs and can see accepted rules. But the traffic doesn't seem to be returned.

Any ideas on what I should check next?


Title: Re: Policy Based Route (VPN Based Gateway)
Post by: dseven on March 16, 2025, 11:53:00 AM
Using hostnames in rules can be a bit tricky, as rules (under the covers) operate on IP addresses, not hostnames - the firewall doesn't even know what hostname the client used. When you use hostnames in aliases, they get resolved (to IP addresses) by the firewall periodically (every 300 seconds by default), but the client could resolve the hostname to a different address in the meantime.

If you're sure that that's not the issue, you'll have to share more detail about how you attempted to make it work....
Title: Re: Policy Based Route (VPN Based Gateway)
Post by: mbonny on March 16, 2025, 12:08:33 PM
Looking under Firewall, Diagnostics, Aliases. Then selecting the Aliases I can see that it contains 3 ipv4 addresses and 3 ipv6 addresses.

My Client resolves to the same values:

Name:    www.whatismyip.com
Addresses:  2606:4700:3108::ac42:2857
          2606:4700:3108::ac42:2ba9
          172.66.43.169
          172.66.40.87

Name:    ifconfig.me
Addresses:  2600:1901:0:b2bd::
          34.160.111.145

Happy to share, just let me know what I can provide to help fill the gaps.
Title: Re: Policy Based Route (VPN Based Gateway)
Post by: dseven on March 16, 2025, 12:30:33 PM
Tried it myself, and (initially) failed ... good example of where this can go wrong - there are additional hostnames used under the covers, "api.whatismyip.com" and "apiv6...", and they resolve to different IP addresses.

Edit: adding those hostnames to the alias "works" for me
Title: Re: Policy Based Route (VPN Based Gateway)
Post by: mbonny on March 16, 2025, 10:15:27 PM
I figured it out. When I created the additional Firewall rule to route traffic to a specific Gateway, I forgot that I would also need a matching Outbound NAT rule to NAT the traffic from this gateway.
Text only | Text with Images