I am trying to set up so that all traffic on a VLAN gets routed out via a VPN client. I have read lots of tutorials and many posts, tried many different settings but with the instructions all being of different age they are intended for different versions of OPNSense and I am never sure which steps have changed or become redundant.
I have a OpenVPN client instance that is showing as connected, and I would like to link this to a VLAN I have already created. I get a bit lost in which steps are required manually and which are done by OPNSense automatically when it comes to
-interfaces
-devices
-gateways
-firewall aliases
-firewall NAT
-firewall rules
-DHCP
Is there a howto/tutorial based on the latest OPNSence describing how to do this? I run 25.7.2.
I don't know a useful tutorial for this, but ther are just a view settings necessary.
I assume, you're talking about IPv4 routing here.
- Assign an interface to the OpenVPN client instance.
Interfaces: Assignments > Assign a new interface
at device select the client instance, state a description, open the new interface and enable it.
- Add an outbound NAT rule:
Firewall: NAT: Outbound
Enable the hybrid mode. And add a rule to the OVPN client Interface, which you created before.
- Create an RFC 1918 alias and add all private network ranges (https://en.wikipedia.org/wiki/Private_network) to it.
You don't want to route these over the VPN.
- Add a policy-routing rule to the respective VLAN interface.
At destination check "invert" and state the RFC 1918 alias.
At Gateway select the VPN Client gateway.
Move this rule up to the top of the rule set.
So this rule is only applied to non-private destinations and directs the traffic to the VPN server.
Many thanks!
I see in the interfaces overview that the new interface has IPv4 and routes set to 10.100.0.2/16. Is this the range of addresses that will be handed out to clients connecting to the VLAN? If I would like it to be something else (I was planning similar to my LAN but with the same octet as the VLAN number), how do I set this? Do I specify "DHCP" in "IPv4 configuration type" under the interface settings, and/or set up a range under Services > ISC DHCPv4?
Quote from: beneix on October 02, 2025, 06:13:29 PMI see in the interfaces overview that the new interface has IPv4 and routes set to 10.100.0.2/16. Is this the range of addresses that will be handed out to clients connecting to the VLAN?
This is your VPN client IP.
It's not range, but just a single IP and you cannot hand it out to any other device.
If you route traffic to the VPN server, the suggested outbound NAT rule translates the source address into this one, so that responses are coming back to you.
There is nothing to configure in the VPN interface settings. Just enable it.
IP address assignment is done by the VPN server.
Quote from: viragomann on October 02, 2025, 06:21:03 PMQuote from: beneix on October 02, 2025, 06:13:29 PMI see in the interfaces overview that the new interface has IPv4 and routes set to 10.100.0.2/16. Is this the range of addresses that will be handed out to clients connecting to the VLAN?
This is your VPN client IP.
It's not range, but just a single IP and you cannot hand it out to any other device.
If you route traffic to the VPN server, the suggested outbound NAT rule translates the source address into this one, so that responses are coming back to you.
There is nothing to configure in the VPN interface settings. Just enable it.
IP address assignment is done by the VPN server.
Right, but what local IP address does a client connecting to the VLAN get? In order for the NAT rule to translate source addresses, there need to be source addresses to translate...I must be missing something?
You can keep any as source, but you can also limit it to a subnet or what ever you want.
The translation target is the interface address = VPN client address.
It's the same as with WAN. Source IP in all outgoing traffic is translated to the interface address.
OK, what I am missing is the part of how to set up the VLAN so that all traffic from it routes via the VPN. What I have tried is:
1. Create a VLAN
2. Create an interface that is assigned the VLAN device, a static IP of 192.168.6.1 and a configuration of 192.168.6.1/24
3. Set DHCP to hand out 192.168.6.20-200 to clients on the VLAN interface
Now I am not clear on whether I should
a. Create an outbound NAT rule that directs all traffic from the VLAN net to the VPN interface,
b. Create a normal rule that passes all traffic coming in on the VLAN interface to the VPN interface,
c. Create a bridge between the VLAN and VPN interfaces, or a mix of all three.
But do you have a managed switch to tag the traffic of this VLAN, and have setup your interface in OPN to act as the trunk from it?
If not, you don't have a VLAN but perhaps a separate network on a separate interface in OPN? I'm a bit unclear.
Quote from: cookiemonster on October 02, 2025, 11:10:23 PMBut do you have a managed switch to tag the traffic of this VLAN, and have setup your interface in OPN to act as the trunk from it?
If not, you don't have a VLAN but perhaps a separate network on a separate interface in OPN? I'm a bit unclear.
Yes, I have a managed switch for the Ethernet connection, but I also have my Unifi AP that will broadcast a separate SSID for the VLAN (I am doing this already for another VLAN). The WiFi connection will be the main way this VPN VLAN will be used, the Ethernet is just a back-up.
Quote from: beneix on October 02, 2025, 09:54:06 PMOK, what I am missing is the part of how to set up the VLAN so that all traffic from it routes via the VPN.
All necessary steps are explained above.
If you have trouble anyway, show all details of your settings, please.
Quote from: beneix on October 02, 2025, 09:54:06 PMCreate a normal rule that passes all traffic coming in on the VLAN interface to the VPN interface,
This. Your "allow" rule on that VLAN interface simply sets the gateway to the VPN.
Quote from: viragomann on October 03, 2025, 01:09:34 PMQuote from: beneix on October 02, 2025, 09:54:06 PMOK, what I am missing is the part of how to set up the VLAN so that all traffic from it routes via the VPN.
All necessary steps are explained above.
If you have trouble anyway, show all details of your settings, please.
OK, here goes. It's the first time I respond to that type of request so if there is a different way I should share the settings, please let me know.
VPN:
(https://i.ibb.co/4g9ZBRSg/Screenshot-2025-10-03-172052.png) (https://ibb.co/prGvCjKr)
Gateways:
(https://i.ibb.co/bR8n8sX8/Screenshot-2025-10-03-150107.png) (https://ibb.co/XkvTv7tv)
The two relevant VPN interfaces:
(https://i.ibb.co/3mcXG7yQ/Screenshot-2025-10-03-150220.png) (https://ibb.co/XxtBNbZM)
Details:
(https://i.ibb.co/xSwF05bk/Screenshot-2025-10-03-171525.png) (https://ibb.co/8DGYp8wC)
(https://i.ibb.co/wNbzZtWf/Screenshot-2025-10-03-171556.png) (https://ibb.co/BV7CHkZ9)
Assignments:
(https://i.ibb.co/7xpVvYvH/Screenshot-2025-10-03-171629.png) (https://ibb.co/0p9ZqDqk)
Devices:
(https://i.ibb.co/35r02pFf/Screenshot-2025-10-03-171700.png) (https://ibb.co/qLyRKNg0)
Aliases:
(https://i.ibb.co/y9rzC7c/Screenshot-2025-10-03-171737.png) (https://ibb.co/p7SHT5B)
Firewall:
(https://i.ibb.co/ZR7yk4mF/Screenshot-2025-10-03-171920.png) (https://ibb.co/ym7LbvSZ)
(https://i.ibb.co/G4DvhjnM/Screenshot-2025-10-03-171940.png) (https://ibb.co/ksTgdF5D)
(https://i.ibb.co/VY5LVFCK/Screenshot-2025-10-03-172009.png) (https://ibb.co/8gtmMyxh)
(https://i.ibb.co/PZq6842K/Screenshot-2025-10-03-172026.png) (https://ibb.co/FbRDtJQ2)
DHCP:
(https://i.ibb.co/qYyctx36/Screenshot-2025-10-03-173515.png) (https://ibb.co/LdkcLvXK)
You messed up the rule settings.
On the VPN interface there is no rule needed at all. You should delete it.
On the VLAN interface to some changes:
source: NordVPNUKVLAN net
destination: any
gateway: NORDVPNUK_VPNV4