OPNsense Forum
Archive => 22.1 Legacy Series => Topic started by: easyronny on April 06, 2022, 03:05:42 pm
-
All,
I would like to ask your help with the following.
I have a dutch ISP KPN (XS4all) fiber connection running on my Opnsense server.
Now I would like to configure an OpenVPN (client) from PrivateInternetAccess on this Opnsense server as well.
I succeeded in doing this, however now I am facing the difficulty that as soon as my VPN server is active all my traffic will also be routed over it, and I would like to limit this to a few IPs.
What is the best way to do this, because it is unclear to me how I can change the gateway of KPN to Primary and that I can redirect the traffic via a firewall rule over the OpenVPN. My preferred firewall rull would be to create a firewall rule and configure it based on a alias and within that alias are in turn the IPs that need to go over the VPN.
I already try to change the priority of the gateways only that did not change anything.
KPN =>200
OpenVPN =>254
Thanks in advance for your help and time,
Regards
ERonny
-
Small update from my side
I removed the entire configuration for the OpenVPN Client of PIA,
The next step that i did was reconfigure the OpenVPN Client with PIA again, only now I enabled the option that the routes should be the same (not add something) and the no changes to the firewall rules.
The status at the moment:
The VPN is running and the interface got an IP of PIA.
If I check external what the IP is that im using then im getting the one of my ISP, so that good.
When I check via Interfaces+>Diagnostics=>Ping im able to ring 8.8.8.8 via my ISP and also via the VPN.
The next step for me is to check out how policy routing is working, that new to me.
If someone can give me advise it will be welkom.
Kind Regards,
ERonny
-
Is there someone that can help me with this question?
Im still waiting and i did not find any article online that describe a solution based on Opnsense. On PFsense i found a lot info only on Opnsense it looks defferent
Thanks inadvance
ERonny
-
Could someone please help me with this question,
Or does my post not conform to the forum rules? Yes, it's true I'm not very experienced with Opnsense yet, but I find the complete absence of no response quite unusual for such a professional forum as Opnsense has.
-
I try to understand your configuration, so you have wan from xs4all and a VPN Provider and you want some sources or targets to go over the PIA Tunnel and the rest goes over your xs4all?
You have to do create a NAT rule and a Firewall rule and place them over your rules that allowing/natting WAN (because they address "all"). In these rules you decide if you want to go over PIA depending on source or target or maybe both. Firewall rule has PIA as gateway interface and the NAT rule has PIA as its translation interface.
You cant just route into PIA as PIA cannot work with your LAN IPs, you have to go out with your assigned IP from PIA and this is where the NAT rule comes into play. Depending if you get a public or privat IP from PIA, you maybe end up with double NAT which does not work well with some protocols.
And please do not nag to much, its a community Forum.
-
What OPNsense calls "policy routing" seems to require a gateway (other than the default gateway). In the firewall rules, you can specify a gateway (group) to use, default or otherwise, and traffic matching the rule will be sent over the specified gateway (group).
If or how you could turn your VPN connection into a gateway, I do not know. Maybe you can set routes (instead)?
On a side note, strangely there seems no way to designate a gateway group as the default gateway, which basically defeats load balancing. Maybe you could convert all firewall rules to use a gateway group, but that doesn't seem to make any sense and would probably be ill advised. So how is load balancing actually supposed to work? Since all traffic goes through the default gateway by default, it all circumvents the load balancing because you can't make a gateway group to be the default gateway.