OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: geofflowemn on December 07, 2016, 06:08:42 am
-
Hello.
I am relatively new to OPNsense, and I love it so far. So much so that I made my first donation ($) to the project after only a few weeks of using it. Thank you to the OPNsense team and community contributors on a great product! I'm excited for the OPNsense future.
On to the question...
I am running OPNsense 16.7.10 in an VMware ESXi VM.
I also have an OpenVPN server running in the cloud (Ubuntu 16.04.1 Digital Ocean droplet).
My goal is to be able to selectively route traffic from devices behind the OPNsense firewall through either my regular ISP *or* the OpenVPN server to the internet. In other words, I want to be able to have my traffic come from either my real IP address (the one provided by my ISP) OR from the IP address of my VPN server (provided by my Digital Ocean droplet). I will use Firewall rules to enforce that decision. I hope that's clear.
My internet searches yielded several articles, blog posts, etc. about how to do this (kind of) with a pfSense firewall and one article about how to do this with an OPNsense firewall.
Stitching bits-and-pieces from these sources together, I did get something to work!
HOWEVER, I'm not sure I understand 1) *how* it works, 2) if this is the best way to achieve my goal using OPNsense and OpenVPN, and 3) if I've configured things in the best, most robust and secure way (e.g. how to configure DNS so as not to leak queries for VPN-destined traffic on my non-VPN link, etc.).
1) In the configuration I got working, there now appear two new tabs in Firewall > Rules: one I've called "DIGITALOCEAN" that represents the interface to the OpenVPN server droplet (i.e. it appears in the "Interfaces" listing) and one that's automagically created by OPNsense called "OPENVPN".)
I don't have *ANY* rules in either of these tabs, but I can get traffic to flow either to the non-VPN link or VPN link using *only* LAN rules with either "WAN" or "DIGITALOCEAN" interface selected in the "Gateway" setting of the rule. Is that right? Can someone explain to me why that works? Does it have to do with the changes to the Firewall > NAT > Outbound settings as outlined in the "HOW TO SETUP OPENVPN CLIENT ON OPNSENSE" article references at the end of this post?
2) Am I overlooking an approach that is obviously better than this approach? I started to get nervous about it when I had such a hard time finding a guide about how to configure this. But, I'm not the only one who has wanted to do this. I started to wonder why there isn't an official OPNsense How to guide for this usage scenario?
I'm not looking for counterproposals like "use a commercial VPN vendor, duh" etc., but rather things like "you can do this better using a site-to-site OpenVPN tunnel, let me show you how" or "using IPSec is better, let me show you how." But, so far, I'm kind of fond of this approach.
3) Lastly, I must admit that I have not hooked up a sniffer to verify that I *am* leaking DNS queries, but I've seen some references to changing the DNS servers listed in System > Settings > General - or at least changing the "Use gateway" setting next to them. Or using or not using the OpenVPN features to push a new default gateway and DNS servers. Or any combination of the above. Maybe I can use dnsproxy instead and not worry about? I need someone who is more experienced to help me out here.
References:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
https://pixelsandwidgets.com/2014/10/setup-pfsense-openvpn-client-specific-devices/
http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/
https://wretmo.se/2016/01/24/how-to-setup-openvpn-client-on-opnsense/
I am happy to share my current configuration with the community if there is interest.
Thank you for the help!
-
I am looking at a similar setup but with a MikroTik RouterOS VM to make the routing decisions, since it will do policy based routing on URL.
Bart...
-
+1
Thats 3 of us.
I have been trying to get selective routing to work too. I think its easy to do, but there are no tutorials specific enough that I can find either. If nobody knows I can spend this weekend trying to find a the way forward. I came close before but it seemed not 100% reliable on what interface a device on my lan would use. I too also use openvpn running on a vps.
-
Is this topic still a thing? I finally got this working but I have noch komplete documentation. I would prefere to do a step by step appoarch with some one who needs this setup and use the descriptions to provide a how-to.
-
I actually got it working too (on 16.7.x; I haven't tried to migrate it to 17.1.x yet). It would be interesting to compare notes.
I wrote down the steps and have a fairly complete write-up, but it is documented in Microsoft OneNote (with screen shots and such), so I'm not sure the best way to share it with others.
I think *someone* ought to document our collective knowledge and try to get into the official OPNsense wiki. It seems like it might be useful for others.
-
I'm finally registering on the forum to voice my cry for help on this topic as well.
I just installed OpenVPN server on my host and thought it would be a simple thing to setup on my Opnsense router, but then I started gagging from drinking too much from the firehose.
When I read the documentation, it seemed like the OpnSense implies it acts as the server, which threw me off a bit.
I am in need for a step by step to route all my OpnSense traffic to the OpenVPN server.
-
I am on travel this week, so I'm not in a position to post anything at the moment.
Perhaps "loden_richard" can help, if your need is immediate.
Otherwise, I will try to put something together when I get back.
-
Hi geofflowemn,
Let us know when your back, I've been trying to get this VPN routing to work with no luck, I've tried many combinations of settings under Outbound NAT and Firewall rules.
Question: Under the OpenVPN connection Log, does your system report any FURTHER entries after " initialization sequence completed " ? (Once its reporting as connected)
Just trying to compare outputs.
Cheers
-
Hey geofflowemn,
I have created a "HOW TO" on setting up VPN Routing with opnsense, these should be the droids your looking for ;)
https://forum.opnsense.org/index.php?topic=4979.msg19771#msg19771
-
Awesome I'm going to give this a whirl.
-
Good write-up! I'm sorry I never got back to this. My steps are mostly the same or equivalent.