OPNsense Forum

Archive => 15.7 Legacy Series => Topic started by: guest11051 on January 02, 2016, 11:16:26 pm

Title: Outbound NAT Subnetting for PIA OpenVPN
Post by: guest11051 on January 02, 2016, 11:16:26 pm
I've been reading through all of the documentation available on setting up an OpenVPN Client to send LAN traffic out through Private Internet Access (PIA).  These setup steps worked perfectly: Create CA Certificate, Create an OpenVPN Client, Create an OpenVPN Interface, Configure Outbound NAT rules.

I am now in phase two of my setup and am working on further subnetting my network for outbound NAT.  Here is what I want to happen:

I have tried to make this setup work through Manual NAT settings and Hybrid NAT settings, and whatever I'm doing wrong keeps knocking the 192.168.1.64/26 subnet offline.  The other two continue to send traffic out PIA as desired, but the .64 subnet only has LAN access.

Any suggestions on the best means of setting this up?
Title: Re: Outbound NAT Subnetting for PIA OpenVPN
Post by: danuary on January 04, 2016, 04:33:03 am
Following, as I have essentially the same question - I'd like to ensure traffic from several specific IP's on my LAN always traverses an OpenVPN tunnel and never traverses the WAN; everything else can go out the WAN. It's clearly possible via policy routing but I'm new to the platform.  I can probably piece it together given some time, but if there is a cheat sheet or someone can advise, it'd be helpful to have the jumpstart.  ;)

Thanks!
Title: [SOLVED] Re: Outbound NAT Subnetting for PIA OpenVPN
Post by: danuary on January 06, 2016, 05:41:08 am
Self-replying, yay  :)

I have a solution to this, but part of it feels a little hacky. There are three components to this:

First, how to establish an OpenVPN connection to PIA.
Second, what you do with that connection - what gets routed over the VPN and what does not
Finally, how to ensure that you don't leak what should be VPN traffic out the WAN if the VPN goes down.

To address #1, see the excellent pfsense-based tutorial at http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/ (http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/), or the pfsense tutorial provided by PIA themselves. These are both pfsense based so you'll have to tweak a bit; mostly correct but I found in the linked post he goes a bit overboard on applying rules to each interface. You only need to put your rules on the LAN interface. As such, that gets us to #2.

My LAN rules that make this work are in the first attached image; this example shows two IP's forced to use the VPN while everything else uses the local WAN connection. The only thing I can say here is go slow and bounce your VPN connection a lot when testing. I was tearing my hair out and discovered that the rules took effect only after restarting the VPN. You can tailor to your example, substituting network ranges in place of specific IP's and it should do the trick for you.

This leaves me with #3, which has been rather frustrating. I would like to configure such that if the VPN goes down, my VPN-routed IP's have no access to the outside world. I've tried various rules and various orders but I have not been able to get that to work - no matter what I did if the VPN goes down the noted IP's will simply use the WAN connection, which is not what I want. The only way I've found to do this is via an outbound nat rule using the "Do Not NAT" checkbox for those IP's. I guess that works but I'd feel better doing it through an actual firewall rule.

Hope this helps!