Hi guys,
Somehow I managed to get a OPNVPN connected, I had removed pull routes as I want a split tunnel effect and dont want all traffic going through VPN.
Problem is, without the pull route I dont know how or where to configure a this further.
I've tried firewall rules to static route but maybe i'm doing it wrong.
VPN connected and gives me a client address of lets say 10.8.0.30 and the server is 10.8.0.1, my home network is 192.168.1.1.
Any ideas next, I only want to access 10.8.0.1 web services and nothing else.
Thanks and happy Friday!
First of you have to assign an interface to the OpenVPN client instance.
Then you can create policy-routing rules using the gateway to force certain traffic over the VPN.
See Policy based routing (https://docs.opnsense.org/manual/firewall.html#policy-based-routing)
Thank you for prompt reply, I believe the int has already been assigned.
please see attached, like I say the connection is up - but maybe a route or rule im missing?
Yes, the interface seems to be assign properly.
Then you need to add the policy-routing rule.
You didn't mention, what you exactly intend to route over the VPN, so I cannot give more detailed hints.
Ah another quick reply, thank you.
I just need clients on my local subnet to reach a web server over VPN.
What I dont know is how to allow my local subnet out to 10.8.0.0/24 via vpn int, I know what I need just not the how....
So if a client goes to 10.8.0.1:8080 for example that will be accesible over the VPN int / gw or whatever.
Is this a site-to-site VPN?
Mentioning a private subnet (10.8.0.0/24) to route over the VPN let me assume this.
If so, does the remote site has a route to your LAN over the VPN?
Good question, I have bascially ripped from the opnvpn client file that you import.
I would assume it does have routes as the import to lets say Ubiq / Draytek firewalls work.
But you cant import the file to opnsense which is mind boggling..
(Client to site)
As I mentioned, the intention to route traffic to a private IP over the VPN indicates, that it's a s2s. But you should actually know, what the purposes are.
Anyway going back you your example
Quote from: MaDeX on July 25, 2025, 01:33:17 PMWhat I dont know is how to allow my local subnet out to 10.8.0.0/24 via vpn int
Assuming you want to route all traffic to a destination within 10.8.0.0/24, there is no policy-routing needed. You can just do this inside OpenVPN.
Just open the OpenVPN client settings and enter "10.8.0.0/24" into the "Remote Network" box and save it.
If the remote site has no route your site, this will still not work. Then you also need an outbound NAT rule:
Firewall: NAT: Outbound
Enable "Hybrid outbound NAT rule generation" and save it.
Add a rule:
interface: opt1
source: LAN net
destination: 10.8.0.0/24
hit save.
I had already done that - if you can just verify this is correct
The remote network has to be a network address in CIDR notation.
Why /0??
Oh boy, I cant believe I did that.
I did so well on my first attempt to get this far...
Able to ping 10.8.0.1 now.....
In my defence I was up late trying to troubleshoot it I cant believe it was that.
It was a personal project of mine to understand more, thank you.
Seems my next problem is the web app's are only listening on localhost now :/
Congratulation. You're a big step closer to your aim.