OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: M4DM4NZ on April 10, 2017, 01:34:53 pm

Title: HOWTO - Routing Traffic over Private VPN
Post by: M4DM4NZ on April 10, 2017, 01:34:53 pm
Hi Guys,

Below is a step by step guide to configuring Opnsense 17.1.4 to route LAN traffic out via your private VPN provider.
(In my case, AirVPN)

I have a setup where I want all computers on my LAN to have a direct connection to the Internet, but "Some" computers I want connected to the VPN *cough torrenting cough *

===================================================================
Step 1:

Get all your certificate information together: (cert files supplied from your private VPN provider)

  - VPN_Provider.ovpn
  - CA.crt (Certificate Athortiy)
  - TA.key (OpenVPN Static key V1)
  - User.crt (User Certificate)
  - User.key (RSA Private Key)

===================================================================
Step 2:

Navigate to System > Trust > Authorities, "add or import CA"

 - Descriptive name: VPNCA
 - Certificate data: (paste the contents of your CA.crt file here)
 - Certificate Private key:(paste the contents of your user.key file here, AKA RSA Private Key)
 - Serial for next Certificate : None

SAVE

===================================================================
Step 3:

Navigate to System > Trust > Certificates, "add or import certificate"

 - Method: Import an existing Certificate
 - Descriptive name: none
 - Certificate data: (paste the data in your user.crt file here)
 - Private key data: Leave blank, otherwise enter your user.key data here, mine was manually entered in on the next step.

SAVE

===================================================================
Step 4:

Navigate to VPN > OpenVPN > Clients, "add client"
Edit the following settings:(some may differ depending on your VPN provider)

 - Server Mode: Peer to Peer (SSL/TLS)
 - Protocol: UDP (check your ovpn file)
 - Device Mode: tun (check your ovpn file)
 - Interface: (Your WAN interface)
 - Local port:443 (check your ovpn file)
 - Server Host or Address: 123.45.67.890 (check your ovpn file)
 - Server Port: 443 (check your ovpn file)
 - Server host name resolution: Ticked
 - Description: "Name of your VPN Provider"

Cryptographic Settings:

 - TLS Authentication: Ticked (paste the data in your ta.key file here, AKA OpenVPN Static key V1)
 - Peer Certificate Authority: Select "VPNCA" or whatever you called the description in step 2.
 - Client Certificate: Select "Userkey CA:VPNCA *In Use"
 - Encryption: Check your VPN Provider, mine was AES-256-CBC (256 bit key, 128 bit lock)
 - Auth Digest Algorithm: SHA1(160-bit) (Check with your VPN Provider)
 - Disable IPV6: Ticked
 - Advance Configuration: "Paste the below data into the field"
   
   persist-key
   persist-tun
   remote-cert-tls server
   auth-nocache
 
- Verbosity level: 3

SAVE

NOTE: The first time you enter this page, the "TLS Authentication" section to paste your ta.key does not show up until you've clicked save. So go back to this menu after saving, and paste it in 

===================================================================
Step 5:

Check to see if your VPN connection is online,

 - Navigate to VPN > OpenVPN >  Connection Status

You should see "Status" UP with your "Remote Host" IP address supplied from the VPN Provider

Now check the log file for the words " Initialization Sequence Completed "
If you've come this far your on the right track :)

===================================================================
Step 6:

 - Navigate to Interfaces > Assignments
 - Select the pull down menu under "new interface" and make sure the "ovpnc1" option is selected
 - Click the orange "+" button
 - Tick Enable Interface and Save
 - Description = VPN (note this is a "Virtual" interface, its not referenced to an physical Ethernet port)
 - IPV4 Configuration type = DHCP
 - IPV6 = None
 - Note: Leave all other settings as default (empty/unticked)

===================================================================
Step 7.

 - Navigate to Firewall > Aliases > View
 - Add a new Alias
 - Name: VPNTraffic
 - Description : VPNTraffic
 - Type: Host:
 - First entry: 192.168.X.X

NOTE: (enter the IP address of Computers/devices you want to be on the VPN here. I personally enter the IP address of my Wireless router I have attached to my LAN, The wireless router has DHCP enabled so all wireless devices connected to this access point have their traffic passed via the VPN )

If you dont have a spare Wifi router, you can manually add IPs to computers on your network here.

My Network Map:  WAN--->Opnsense--->LAN--->Switch--->Wifi router runing its own DHCP - - - -> "Wireless devices"

!!!WARNING!!! Dont dodge this step, even if you think you know what im doing, the whole point of making aliases is important, and it wont work without them.

 - SAVE
===================================================================
Step 8:

Ok so heres the weird part, This had me going nuts for a while, but after a bottle of Jack Daniel's Tennessee Honey, it finally clicked!.
You NEED to use aliases rather than specifiying IP ranges directly, it makes all the difference for some reason, even though the concept
is the same.

 - Navigate to Firewall > NAT > Outbound
 - Select "Manual outbound NAT generation" (Leave the default generated WAN rules AS IS)
 - Add a new rule

Rule 1.
 - Interface: VPN (The one you created in Step 6)
 - Source: VPNTraffic ( The alias you created in Step 7)
 - Translation / target: Interface Address (as in, just select "Interface address" from the dropdown menu)
 NOTE: Leave ALL other options as default/any

Rule 2. (Same as Rule 1, but....)
 - Destination port: 500 (Select "Other" from dropdown menu and enter 500 in the field)
 - Static Port: Ticked
 NOTE: Leave ALL other options as default/any

Rule 3.
 - Interface: VPN (The one you created in Step 6)
 - Source: Single host or network, 127.0.0.0 / 8
 - Translation / target: Interface Address (as in, just select "Interface address" from the dropdown menu)
NOTE: Leave ALL other options as default/any
NOTE: Make sure the above rules "are above" your auto generated WAN outbound rules when looking at the entire list from top to bottom.

- Apply settings.
====================================================================
Step 9.

 - Navigate to Firewall > Rules > LAN
NOTE: The order of Rules from top to bottom on this page matter:
Starting at the top, you should have the "Anti-Lockout Rule"
Next, start adding rules as follows:

Rule 1. (The Rule to pass selected clients traffic out via the VPN)
 - Interface: LAN
 - TCP/IP Version: IPv4
 - Source: VPNTraffic (Alias)
 - Gateway: VPN_DHCP (ie, the auto-generated VPN Gateway option)

Rule 2. (Pass all other traffice out via the defaul gateway "WAN")

 - Interface: LAN
 - TCP/IP Version: IPv4
 - Source: Any
 - Gateway: WAN_PPPoE (ie, the auto-generated WAN Gateway, the name might be different depending
on your WAN connection method)

- Apply settings

NOTE: All other tabs in my rules section eg OPENVPN/VPN/WAN are empty NO RULES exist.
your settings may differ, but thats the basic setup. Also, check:
https://www.dnsleaktest.com/ and
https://www.ipchicken.com/
after you've completed these steps.
=================================================================
DONE :)

If I've missed anything, feel free to troll ;)

Cheers


Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: eptesicus on May 05, 2017, 12:32:10 am
This is fantastic! Thank you so much for the write-up. I just built a new router with the intention of doing this. I just set it up today when my gigabit internet connection was installed, and thanks to your write-up, I got VPN setup on my torrent server easily.

Do you have any issues with DNS leaks? Mine's failing DNS leak tests, and I'm curious how to combat that.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: M4DM4NZ on May 11, 2017, 04:34:11 am
Thanks Eptesicus :)

Yeah I tested the DNS leak on my setup using dnsleaktest.com and found no issues, my results pointed to the correct DNS server of my VPN Provider so I'm guessing your issue could be with your VPN provider.

Maybe try connecting another pc directly to the DMZ and installing the VPN client software supplied from your VPN Provider, then try the dnsleaktest.com again.

Cheers :)
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: eptesicus on May 12, 2017, 08:57:53 pm
Thanks Eptesicus :)

Yeah I tested the DNS leak on my setup using dnsleaktest.com and found no issues, my results pointed to the correct DNS server of my VPN Provider so I'm guessing your issue could be with your VPN provider.

Maybe try connecting another pc directly to the DMZ and installing the VPN client software supplied from your VPN Provider, then try the dnsleaktest.com again.

Cheers :)


I was able to change the DNS servers for the VPN connection directly in OPNSense, which fixed my issue!

Have you tried other DNS providers? I tried PIA's DNS, and DNS.Watch, but their both incredibly slow. I'm currently using OpenDNS, but am skeptical if I should use one of the slower, more secure, DNSs.

Also... I just got back from a trip where I haven't had time to remote home, and I noticed that my VPN connection to the Netherlands was stopped, and the traffic on my torrent server was now unencrypted. Do you know of a way to have a kill-switch of some kind? Something that could occur in OPNSense to stop all traffic assigned to that tunnel and reconnect if the connection has dropped?

Thanks again!
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: M4DM4NZ on May 15, 2017, 04:51:15 am
Hey mate,

No i haven't tried using other DNS providers besides my VPN provider, but i'll look into this.

I'm pretty sure when my VPN connection drops out (which doesn't happen that often) traffic to my torrent client just stops. I'll check my settings soon and post an update.

Cheers.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: pauld70 on May 25, 2017, 06:13:29 pm
Hi

I have been trying to get this working, all the ip addresses I setup to go through the VPN work correctly. However any traffic not going via the VPN can not reach the internet. The 1st time I tried these steps I could get the internet to work if I set a static ip address with a DNS. The second time I tried everything seemed to connect correctly to the internet but I still could not reach anything and setting a manual ip and DNS did not work this time.

Is there any way to test why this is not working correctly?

thanks
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: tsol on June 06, 2017, 04:16:07 pm
I just want to clarify my understanding of step one.     Are these the certs I created on the OpenVPN server on my remote host, or are these newly created ones made locally?   

I just rolled my own OpenVPN install on my host using this guide: 

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04


and I'm trying the Adguard DNS entries: 

https://adguard.com/en/adguard-dns/overview.html


My ultimate dream is to somehow get the SSL bump configured either locally or at my remote host to block Outbrain/Taboola and all the other crap that loads on https sites I go to.     I could use some help architecting the overall solution, but first step is to route everything through VPN.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: M4DM4NZ on June 18, 2017, 02:16:35 am
Hi Tsol,

The certs in step one are created by your VPN provider, ie. the ones you download from the particular VPN provider your registered with.

Not sure about the Adguard DNS stuff, haven't had time to play with it much :/

Cheers
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: M4DM4NZ on June 18, 2017, 02:21:58 am
Hi

I have been trying to get this working, all the ip addresses I setup to go through the VPN work correctly. However any traffic not going via the VPN can not reach the internet. The 1st time I tried these steps I could get the internet to work if I set a static ip address with a DNS. The second time I tried everything seemed to connect correctly to the internet but I still could not reach anything and setting a manual ip and DNS did not work this time.

Is there any way to test why this is not working correctly?

thanks

Hi Pauld70,

not sure whats going wrong there, but just to compare, I also have my DNS set to static using googles DNS 8.8.8.8 as secondary and opensens default IP 192.168.1.1 as the primary

Hope this helps.

Cheers
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: tatail on July 29, 2017, 03:33:14 am
Hi there,

Thank you very much for such a detailed step by step really helped with a lot of the stuff (I am a total noob).

I am looking to use VPN for a single port and the rest of the traffic to be regular.
I read that it is possible on pfSense so I was thinking that at least 60% of your guide would be the same for forwarding only a single port through VPN on OpnSense.

Could you help me with that?

Thank you.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: ThePOO on August 11, 2017, 05:25:03 am
M4DM4NZ .....

Step 9:

Rule 1:

Shouldn't

Source:  VPNRouter

actually be

Source:  VPNTraffic
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: M4DM4NZ on August 25, 2017, 05:58:35 am
M4DM4NZ .....

Step 9:

Rule 1:

Shouldn't

Source:  VPNRouter

actually be

Source:  VPNTraffic

Thanks for spotting that dude, I have updated the Guide...
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: Noctur on September 15, 2017, 05:20:46 pm
M4DM4NZ - Thank You! Excellent write-up.

I have exactly the opposite need - want my general traffic through the VPN (because everything you do on the internet now is fair game - thanks loads, congress), but since services like Netflix and Hulu block VPN traffic, I want to route only the Netflix, etc over a clear connection. Even though Nord states you can stream through their service, eventually Netflix and Hulu identify the exit node and block it - even if it is within the US.

I'm planning to go through this over the weekend and set up just the Netflix traffic. Any pointers on how to achieve that? My VPN is already set up and working fine. TIA
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: skirge01 on September 15, 2017, 06:18:30 pm
I've been trying to get this working for months (seriously) and I keep running into DNS breaking.  One difference with my setup is that I'm not using a wireless router for DHCP, so I only added a single IP address into the VPNTraffic Aliases you had us create. That one computer is the only one I want to have its traffic forced over the VPN.  The other difference is that I use OPNsense as a private VPN server outside of the third party provider I set up using your instructions.

I've done a ton of testing and it is definitely only DNS which is broken. The internet connection itself is actually functioning; even Windows says as much.  For some reason, I can't get my networked computers to reach the DNS server (my OPNSense server, which is configured for OpenDNS). If I manually input a DNS server on the computers, everything works. I've tried disabling the OpenVPN firewall rule, as well as the private OpenVPN server without any change in DNS.

If I disable either the VPNTraffic to VPN_DHCP rule or the ANY to WAN_DHCP rule, DNS begins working again. Also, as expected, if I push the Default Allow Any rule above the rules I created using your guide, DNS works again.

Any insight would be greatly appreciated.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: NilsS on September 19, 2017, 07:48:20 pm
you need a rule on our LAN interface
-> pass -> Interface: LAN -> IPv4 -> TCP/UDP -> Source: any -> Destination: This Firewall -> DNS:DNS

the tutorial has also some errors.
CA Cert -> ca.crt
CA Key -> empty *
CERT Cert -> cert.crt
CERT Key -> priv.key

Interface ovpnc needs not IPv4 DHCP (just None)

Also there is no DNS Leakage prevention. If the Client uses another static DNS it will leak.
There needs to be either a BLOCK rule for all DNS traffic other than (in case of AirVPN 10.x.0.1) the VPN DNS Server
or you can use a NAT->Port Forward rule to redirect all DNS traffic to that DNS Server.

Another way is to use the local unbound DNS Server if you want all your local LAN traffic use the VPN but also need local DNS names.
Just use forward-zone:
  name: "."
  forward-addr: 10.5.0.1
  forward-addr: 10.4.0.1
in unbound custom config. (for AirVPN)

I can add some details for VPN-Failover later
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: NilsS on September 22, 2017, 10:14:36 am
As promised (most of it is the same as in the initial post from M4DM4NZ / but DNS leak and SMB/CIFS username
 leak prevention is extra)
Code: [Select]
####################################################################
Firewall -> Aliases -> view [ add a new alias ]
[ Type ]        Network
[ Name ]        N_LOCALNETS
[ Description ] All local Networks
[ Aliases ]
    192.168.x.x/XX (your local networks)
[SAVE]
                            [ add a new alias ]
[ Type ]        Network
[ Name ]        N_VPNUSER
[ Description ] All Hosts/Networks that should use VPN
[ Aliases ]
    192.168.x.x/32 (your hosts or networks that should use VPN)
[SAVE]
                            [ add a new alias ]
[ Type ]        Hosts
[ Name ]        H_ALLOWED_DNS
[ Description ] allowed DNS Server
[ Aliases ]
    10.4.0.1
    10.5.0.1
    10.30.0.1
    10.50.0.1
[SAVE]
                            [ add a new alias ]
[ Type ]        Ports
[ Name ]        P_MS_CIFS_SMB
[ Description ] block some MS ports
[ Aliases ]
    137
    138
    139
    445
[SAVE]

####################################################################
Firewall -> NAT -> Outbound
[X] Manual outbound NAT rule generation
## change the rest later
####################################################################
System -> Trust -> Authorities [ Add or import CA ]
[ Descriptive name ]            AIRVPN CA
[ Method ]                      import an existing
[ Certificate data ]
-----BEGIN CERTIFICATE-----
<ca> section from .ovpn config
-----END CERTIFICATE-----
[SAVE]
####################################################################
System -> Trust -> Certificates [ add or import certificate ]
[ Method ]                      import an existing
[ Descriptive name ]            AIRVPN Client Auth
[ Certificate data ]
-----BEGIN CERTIFICATE-----
<cert> section from .ovpn config
-----END CERTIFICATE-----

[ Private key data ]
-----BEGIN RSA PRIVATE KEY-----
<key> section from .ovpn config
-----END RSA PRIVATE KEY-----
[SAVE]
####################################################################
VPN -> OpenVPN -> Clients:
[ Server Mode ]                 Peer to Peer (SSL/TLS)
[ Protocol ]                    UDP (or TCP)
[ Device mode ]                 tun
[ Interface ]                   WAN
[ Server host ]                 nl.vpn.airdns.org (or whatever region you like)
[ Server port ]                 443 ( alternative 53/80/1194 )
[ Server host name resoltion ] [X]
[ Description ]                 AIRVPN1

[ TLS Authentication ]  [X] enable authentication
                        [ ] automatically generate
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN Static key V1-----

[ Peer Certificate Authority ]  AIRVPN CA
[ Client Certificate ]          AIRVPN Client Auth
[ Encryption algorithm ]        AES-256-CBC (256 bit key, 128 bit block)
[ Auth Digest algorithm ]       SHA1 (160bit)
[ Hardware Crypto ]             No Hardware (AESNI is automatic)
[ Compression ]                 Disabled
[ Disable IPv6 ]                [X]

[ Advanced ]
mssfix 1379; ## try to hide OpenVPN
fast-io; ## only for UDP
explicit-exit-notify 4; ## only UDP
server-poll-timeout 10;
key-direction 1;
key-method 2;
keysize 256;
prng SHA512 64;
remote-cert-tls server;
tls-version-min 1.2;
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384;
reneg-sec 3600;
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

[SAVE]
####################################################################
VPN -> OpenVPN -> Clients: [ AIRVPN1 -> clone ]
[ Server host ] use a different server
[ Server port ] use a different Port ( IMPORTANT for different IP Pool https://airvpn.org/specs/ )
[ Description ] AIRVPN2
[SAVE]

####################################################################
Interfaces -> Assignments
New interface: ovpnc1       [ + ] (could be different if you have an openvpn server / use the last two)
New interface: ovpnc2       [ + ]
[ OPTx ]
    [ Enable ]                  [x]
    [ Descriptition ]           AIRVPN1
    [ Block bogon networks ]    [x]
    [SAVE]
[ OPTx ]
    [ Enable ]                  [x]
    [ Descriptition ]           AIRVPN2
    [ Block bogon networks ]    [x]
    [SAVE]
####################################################################
System -> Gateways -> All
[ AIRVPN1_VPNV6 ]
    [ Disabled ]    [x]

[ AIRVPN2_VPNV6 ]
    [ Disabled ]    [x]

[ AIRVPN1_VPNV4 ]
    [ Disabled Gatetway Monitoring ]    [ ] uncheck

[ AIRVPN2_VPNV4 ]
    [ Disabled Gatetway Monitoring ]    [ ] uncheck

####################################################################
System -> Gateways -> Group [ Add group ]
[ Group Name ]          GRP_AIRVPN
[ Gateway Priority ]
        [ AIRVPN1_VPNV4 ]       [ Tier 1 ]
        [ AIRVPN2_VPNV4 ]       [ Tier 1 ]
[ Trigger Level ]       Packet Loss or High Latency
[ Description ]         GRP_AIRVPN Loadbalance
[SAVE]
                            [ Add group ]
[ Group Name ]          GRP_AIRVPN_1_2
[ Gateway Priority ]
        [ AIRVPN1_VPNV4 ]       [ Tier 1 ]
        [ AIRVPN2_VPNV4 ]       [ Tier 2 ]
[ Trigger Level ]       Packet Loss or High Latency
[ Description ]         GRP_AIRVPN Failover 1 -> 2
[SAVE]

                            [ Add group ]
[ Group Name ]          GRP_AIRVPN_2_1
[ Gateway Priority ]
        [ AIRVPN1_VPNV4 ]       [ Tier 2 ]
        [ AIRVPN2_VPNV4 ]       [ Tier 1 ]
[ Trigger Level ]       Packet Loss or High Latency
[ Description ]         GRP_AIRVPN Failover 2 -> 1
[SAVE]

####################################################################
Firewall -> Settings -> Advanced
[ Skip rules ]          [x] Skip rules when gateway is down (IMPORTANT)
[ Sticky connections]   [x] Use sticky connections (for loadbalance group)
####################################################################
Firewall -> NAT -> Outbound
[+]
    [ Interface ]           AIRVPN1
    [ TCP/IP Version ]      IPv4
    [ Protocol ]            any
    [ Source address ]      N_LOCALNETS
    [ Destination invert ]  [X]
    [ Destination address ] N_LOCALNETS
    [ Translation/target ]  Interface address
    [SAVE]
[ AIRVPN1 ] [CLONE]
    [ Interface ]           AIRVPN2
    [SAVE]
####################################################################
Firewall -> Rules -> LAN (or whatever interface you want to force traffic to VPN /
            repeat for other internal interfaces or group them and use the rules on the group interface )
[+]
    [ Action ]                  block
    [ Interface ]               LAN (or LANGROUP)
    [ TCP/IP Version ]          IPv4
    [ Protocol ]                TCP/UDP
    [ Source ]                  N_VPNUSER
    [ Destination invert ]      [X]
    [ Destination ]             N_LOCALNETS
    [ Destination portrange]    P_MS_CIFS_SMB
    [ Description ]             Block MS CIFS/SMB
    [ Gateway ]                 GRP_AIRVPN (load balance)
    [SAVE]
[+]
    [ Action ]                  pass
    [ Interface ]               LAN (or LANGROUP)
    [ TCP/IP Version ]          IPv4
    [ Protocol ]                TCP/UDP
    [ Source ]                  N_VPNUSER
    [ Destination ]             H_ALLOWED_DNS
    [ Destination portrange]    DNS DNS
    [ Description ]             Allow traffic to allowed DNS Server
    [ Gateway ]                 GRP_AIRVPN (load balance)
    [SAVE]
[+]
    [ Action ]                  pass
    [ Interface ]               LAN (or LANGROUP)
    [ TCP/IP Version ]          IPv4
    [ Protocol ]                any
    [ Source ]                  N_VPNUSER
    [ Destination invert ]      [X]
    [ Destination ]             N_LOCALNETS
    [ Description ]             force traffic over VPN
    [ Gateway ]                 GRP_AIRVPN (load balance)
    [SAVE]
####################################################################
Firewall -> NAT -> Port Forward
[ Interface ]                   LAN (or LANGROUP)
[ TCP/IP Version ]              IPv4
[ Protocol ]                    TCP/UDP
[ Source ]                      N_VPNUSER
[ Destination invert ]          [X]
[ Destination ]                 H_ALLOWED_DNS
[ Destination portrange]        DNS DNS
[ Redirect Target ]             single Host or Network
                                10.5.0.1 (or any other from the allowed DNS)
[ Redirect Target Port ]        DNS
[ Descriptiton ]                redirect all DNS to allowed DNS
[SAVE]

check results of
https://ipleak.net/
https://www.dnsleaktest.com/
http://witch.valdikss.org.ru/
https://browserleaks.com/ip


EDIT: changed remove VPN default Gateway in advanced section
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: Gargamel on October 15, 2017, 05:59:57 pm
When i try these NAT / Firewall rules, my network gets totally BLOCKED, and i have pass in the rule..

cant access the firewall, cannot ping outside internet, the pass rule in latest firmware "pass" seems to mean "block everything"..

hmm, after i disabled the rule, it started to route thru the vpn, wierdly.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: Kevin99 on December 20, 2017, 11:16:38 pm
Nice instructions!
VPN is up but I have DNS problems. I can do DNS address pings and trace route from Opnsense box ok, but not from pc's.
Can anyone tell me what the settings in General should be, and what to use, unbound or dnsmasq, and how?
Also DHCP does not work properly, also seems to be DNS, what settings should be there?
Any other suggestions? I tried a lot of different settings but I am stuck!
Nilss' instructions seems to get me the furthest. I read a lot, perhaps I need some code in a file to get it working, push DNS?

Thanks a lot all!
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: Kevin99 on December 25, 2017, 10:34:23 am
I got it working.
Can anyone tell me please if Alias for VPN user should be like this? Network
192.168.3.1/24
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: ExGarder on January 22, 2018, 10:28:36 pm
Non of these howto's are working for me.
I'm on version 17.7.12

At the best I have no access to internet, but still have access to opnsense.
At worst opnsense is bricked, no access to it.

Does someone get this running?
Can You tell me what is missing in the howto's?
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: richardmountain on January 25, 2018, 12:08:45 pm
First post :)

I too am having issues getting this setup, I've gone through all of the settings mentioned in this forum post but I'm still struggling to route my traffic through the VPN, the VPN is up and running and connected it just seems to be the firewall rules that I'm struggling with.

I will keep at it and post back when I finally get it working, hopefully between all of us that are struggling we can all get it sorted.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: kein on January 25, 2018, 05:33:44 pm



I was able to change the DNS servers for the VPN connection directly in OPNSense, which fixed my issue!

Have you tried other DNS providers? I tried PIA's DNS, and DNS.Watch, but their both incredibly slow. I'm currently using OpenDNS, but am skeptical if I should use one of the slower, more secure, DNSs.

Also... I just got back from a trip where I haven't had time to remote home, and I noticed that my VPN connection to the Netherlands was stopped, and the traffic on my torrent server was now unencrypted. Do you know of a way to have a kill-switch of some kind? Something that could occur in OPNSense to stop all traffic assigned to that tunnel and reconnect if the connection has dropped?

Thanks again!

Hi,

thanks OP for the post, it works just fine.
For the kill-switch part I had the work done with an extra NAT/outbound rule,
Rule to add after the ones concerning the VPN :
Clone the WAN default rule (LAN->WAN), check "do not nat".
Put the rule AFTER rules pecified by M4D and BEFORE default rules.
 
WAN    proxytraffic     *    *    *    NO NAT    *    NO    proxy killswitch 

The rules block the traffic from the alias_proxytraffic to go trough the normal wan gateway.
As, if the VpnClient goes down, the PC will use the default WAN gateway.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: richardmountain on January 25, 2018, 10:11:27 pm
Well, my update:

I'm halfway there, for example, I can ping the google.com IP address and get a response but pinging the domain name doesn't work.  I know it's a DNS issue but I can't for the life of me work out how to fix it.

I see Kevin99 had a similar issue but has neglected to inform the rest of us how he managed it :(

If anyone can help it would be much appreciated.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: tibere86 on February 03, 2018, 09:09:06 pm
Any plans to update your instructions/tutorial for OPNsense version 18.1.1? I'm having a heck of a time getting my OPNsense box up as a VPN client.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: franco on February 05, 2018, 08:56:07 am
There may be a bug in the way for outbound NAT generation on OpenVPN interfaces We're hoping for 18.1.2 to address this.


Cheers,
Franco
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: paulswansea on February 09, 2018, 05:46:32 pm
Any update as to if anyone can get this working?  I have 18.1.2_2 installed, just setting up the configuration, I have followed the instructions and the vpn clients connect successfully, however when I try to connect a host to them, web pages don't load.

I also noticed, when switching the NAT outbound rules to manual, the automatic ones disappear. Is this supposed to happen? On the previous version it used to leave the standard WAN interface rules there which made things easier.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: ragemachinest on February 10, 2018, 10:19:39 am
Hi

I have been trying to get this working, all the ip addresses I setup to go through the VPN work correctly. However any traffic not going via the VPN can not reach the internet. The 1st time I tried these steps I could get the internet to work if I set a static ip address with a DNS. The second time I tried everything seemed to connect correctly to the internet but I still could not reach anything and setting a manual ip and DNS did not work this time.

Is there any way to test why this is not working correctly?



thanks

Paul,

I'm having this exact same issue. I was previously on pfsense and recently switched over. I set up OPNsense to where all traffic routed through a VPN, but I set up specific LAN rules to allow certain boxes, like my Roku, to exit through the WAN gateway for Netflix/Amazon purposes. When I try to do that same rule in OPNsense, I get no internet connectivity at all. I tried to identity where the failure is but haven't been able to figure it out yet. If anyone has thoughts, please let me know. :)
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: jelly-ck on February 12, 2018, 03:11:20 pm
I am having the exact same issue on OPNsense v18.1.1_2. I have been trying to migrate to OPNsense, but I cannot get OPENVPN to route traffic correctly which I need, and this forces me to restore my pfSense setup in the interim.
I have tried setting up OPENVPN like I have numerous times on pfSense using the same steps on a clean install of OPNsense to no avail. I can connect to my VPN provider (via client mode), but traffic does not route through the VPN even with the correct NAT and firewall rules in place.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: Dominian on February 12, 2018, 03:22:22 pm
Can you show us the rules in question within the OPNsense GUI that you're trying?


I use PIA and have my network default route set to my PIA interface.  I then have a list of 'hosts' that should bypass PIA setup in the firewall and it works great.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: andreab on February 14, 2018, 02:43:22 am
Hi,

Here is my situation with this issue.

I'm fully updated on 18.1.2_2.

I followed this how-to when I was still on 17.7.something (one of the latest ones, in case that matters).

The only thing I did different is "Step 8, the Manual outbound NAT generation" bit, as the only way to keep the automated and manual rules in place at the same time is by using the "hybrid" setting.
Of course I also tried to use manual but it does not make any difference.

In my setup I want to have all traffic coming from a VLAN (10.55.59.0/24) to be routed through the OpenVPN connection, while untagged traffic coming from 10.55.55.0/24 will reach the internet directly.

The correct gateway for the network is 10.55.50.1, while the gateway for the OpenVPN connection is something like 46.246.85.1.

Problem #1
When OpenVPN is connected to its server, 10.55.59.0/24 correctly goes on the internet through the encrypted tunnel, but unfortunately 10.55.55.0/24 has no Internet access whatsoever (tested with something like "ping 8.8.8.8" or curl).

If it helps understanding, checking the routes I can see this:

% netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          46.246.85.1        UGS      ovpnc1
default            10.55.50.1         UGS        igb0
10.55.50.0/24      link#1             U          igb0
10.55.50.1         00:e0:4c:65:25:da  UHS        igb0
10.55.50.2         link#1             UHS         lo0
10.55.55.0/24      link#2             U          igb1
10.55.55.1         link#2             UHS         lo0
10.55.59.0/24      link#14            U      igb1_vla
10.55.59.1         link#14            UHS         lo0
10.55.60.0/24      link#3             U          igb2
10.55.60.1         link#3             UHS         lo0
10.55.61.0/24      link#10            U      igb2_vla
10.55.61.1         link#10            UHS         lo0
10.55.62.0/24      link#11            U      igb2_vla
10.55.62.1         link#11            UHS         lo0
46.246.85.0/27     46.246.85.1        UGS      ovpnc1
46.246.85.1        link#9             UH       ovpnc1
46.246.85.21       link#9             UHS         lo0
84.200.69.80       00:e0:4c:65:25:dd  UHS        igb3
84.200.70.40       00:e0:4c:65:25:dd  UHS        igb3
127.0.0.1          link#6             UH          lo0
128.0.0.0/1        46.246.85.1        UGS      ovpnc1
178.73.195.98/32   10.55.50.1         UGS        igb0
192.168.5.0/24     link#4             U          igb3
192.168.5.1        00:e0:4c:65:25:dd  UHS        igb3
192.168.5.131      link#4             UHS         lo0
192.168.17.0/24    192.168.5.1        UGS        igb3
192.168.20.0/24    192.168.5.1        UGS        igb3
192.168.40.0/24    192.168.5.1        UGS        igb3

Problem #2
ovpnc1 has higher priority than igb0, so the router itself goes on the internet through OpenVPN, and I don't want that.


Any tips on debugging the current issues will be appreciated.


Regards,
Andrea
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: M4DM4NZ on February 16, 2018, 10:26:08 am
Hi Andrea,

Well, I'm a little stuck too... I wrote the original HOW-TO for getting this going under 17.x but this new version is not playing nice.

I've been trying a combination of settings but no luck so far, fingers crosses, this could just be a bug that gets corrected in the next update.

Will keep everyone posted on here if i find a work-around.

Cheers :)
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: jelly-ck on February 18, 2018, 03:02:53 pm
Hi Andrea,

Well, I'm a little stuck too... I wrote the original HOW-TO for getting this going under 17.x but this new version is not playing nice.

I've been trying a combination of settings but no luck so far, fingers crosses, this could just be a bug that gets corrected in the next update.

Will keep everyone posted on here if i find a work-around.

Cheers :)
Hi @M4DM4NZ have you been able to make any progress on this issue?
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: M4DM4NZ on February 18, 2018, 11:49:06 pm
I did manage to get it going (kinda).

I inverted my original setup so by default all traffic passes by the VPN, then set a rule pointing a single PC on my network to have access to the WAN directly. (DMZ)

After messing around with these setting for HOURS! I did manage to get it working, but it wasn't stable.

I had to flip the gateway setting in the LAN rule for the single PC that required WAN access, then flip it back so the gateway was using the VPN, then flip it back again.

It worked fine (untill that single PC released/renewed its IP address)

so, for now I've reverted back to 17.x until i can find more time to take another look at it.

Keep you posted.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: Dimi3 on February 25, 2018, 09:19:39 pm
..i have the same problem..i just switched to opnsense :(, spent 2 days for basic config, today lost whole day and unable to make routing trough VPN to work.

Is there a bug open for this? because something is obviously wrong?

Anyone managed to make this work?
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: relink2013 on February 28, 2018, 12:32:04 am
Im following this closely aswell, and this tutorial right here is the whole reason I went with OPNSense.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: Dimi3 on February 28, 2018, 09:31:40 am
I did fresh install of opensense and everything is working for me now :), dont ask me how. The only change I did in first try is to select LibreSSL under firmware settings..now I just use default OpenSSL.

Anyway..VPN works, policy routing works, I only need to do additional testing regarding DNS leaks..
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: jelly-ck on February 28, 2018, 03:02:57 pm
I did fresh install of opensense and everything is working for me now :), dont ask me how. The only change I did in first try is to select LibreSSL under firmware settings..now I just use default OpenSSL.

Anyway..VPN works, policy routing works, I only need to do additional testing regarding DNS leaks..
So what you are saying is that if one uses OpenSSL rather than LibreSSL, VPN NAT routing works on v 18.1.2_2?
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: Dimi3 on February 28, 2018, 03:14:28 pm
I can’t claim that in case LibreSSL selected routing doesn’t work, but this is the only thing i change on first installation. Maybe i also messed something else up can’t say. :)

Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: andreab on March 06, 2018, 02:36:22 am
Hi,

Just to give everyone an update on this - I have patched OPNsense to the latest (18.1.3) but the issues reported in my previous comment (#29) still remain a problem.

Let me know if you experience anything different please.

Regards,
Andrea
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: jelly-ck on March 09, 2018, 09:49:07 pm
Has there been any progress on routing selective traffic over OpenVPN on v18.1.4? I haven't been had a chance to update and test the routing on v18.1.3 nor v18.1.4. Still on 18.1.2_2.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: andreab on March 13, 2018, 01:03:51 am
Hi,

I'm on 18.1.4 but I have not seen any progress regarding my situation.
My routing table still looks exactly the same as before, and I experience the same problems as before.

A couple of things I've noticed with the VPN on (and therefore with no connectivity):
1) checking the firewall log I can see that my ping to the google DNS servers (8.8.8.8) is allowed, but since I get no response, I assume the "reply" messages are blocked on the way back;
2) if I am pinging something (eg 8.8.8.8) while I enable the VPN, the ping keeps working - so something is blocking new connections, but not already established ones.

Regards,
Andrea

Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: andreab on March 13, 2018, 01:57:22 am
actually, possibly the biggest routing problem experienced (in my case) came from this rule:
0.0.0.0/1          46.246.85.1        UGS      ovpnc1

I thought this was added by OpnSense (for some reason) but it isn't; this rule is added by the VPN provider I use, therefore ticking either "Don't pull routes" or "Don't add/remove routes" (not too sure about the difference at this stage) stops OpnSense from pulling extra routes and mess my routing table.

Now all VLANs can go on the Internet even when the VPN is enabled/working.
The only problem I'm left with now, is that the VLAN which should be tunneled through the VPN, isn't.

I'll have to investigate in that direction.

Regards,
Andrea
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: Dimi3 on March 13, 2018, 08:59:39 am
Are you using DNS reslover or DNS Forwarder?
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: andreab on March 13, 2018, 10:20:30 am
I'm using Unbound default settings (I think).
Anyway "Enable DNS Resolver" is ticked, while "Enable Forwarding Mode" is unticked.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: Dimi3 on March 13, 2018, 11:59:11 am
I'm using unbound in Forwarder mode, since i dont need local lan name resolving.

I couldn't make it work with default settings (also my knowledge is limited)

For test try to use;

under Services - Unbound - thick these options:
Enable Forwarder Mode
Register DHCP leases in the DNS Resolver
Register DHCP leases in the DNS Resolver

Select outgoing network interfaces ... i have selected both WAN and VPN

Under System - Settings - General insert DNS addresses eg. 8.8.8.8 and thick

Do not use the DNS Forwarder/Resolver as a DNS server for the firewall

Under VPN client settings thick; Don't pull routes

Maybee this will help you, if not, you could post your FW rules.

Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: andreab on March 13, 2018, 06:19:08 pm
I use local name resolving.

Anyway I don't think my problem is DNS related.
After having stopped pulling new routes from my VPN provider, every VLAN/subnet can go on the Internet freely.

The problem I have right now is that even the VLAN which should go on the Internet through the VPN only, does not go through the VPN tunnel.

So either I need to find a way to specify a different gateway for the "VPN VLAN", or I need to understand policy based routing.

So far I've been following this instructions by M4DM4NZ (BTW, thank you very much!!!), but if there is a better way (particularly now with 18.1.x) to achieve what I need, I'm all ears.

Regards,
Andrea

PS: is there a single place where to retrieve all FW rules? I have lots of subnets...
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: seamus on March 31, 2018, 07:11:26 pm
Hello All,

I've been watching this thread with interest as it's almost exactly what I want to do (uh, except I'm not using torrent, I'm just trying to get around some "geo-location" BS). I hoped that all questions and issues associated that have come up with the HOW-TO would be resolved in short order, but it's been over 2 weeks since the last post. Can someone provide an update on the status of this??

~S
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: andreab on March 31, 2018, 07:22:58 pm
Hi Seamus,

Unfortunately I made no progress since my last post.

Regards,
Andrea
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: mscucciari on April 10, 2018, 11:57:18 am

Hello,
has anyone managed to run openvpn client (airvpn - nordvpn - etc) under opnsense 18.x?
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: karotte2000 on April 10, 2018, 07:44:02 pm
I was trying to get (Nord)VPN running and route all LAN traffic through it but I can’t get it working without pulling routes from the VPN Host, which in turn messes up my routing and all rules get “randomized”... is there any progress on this issue? Would it make sense to downgrade to 17.x?
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: andreab on April 10, 2018, 08:04:29 pm
have you guys tried the latest 18.1.6 yet? I haven't.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: NilsS on April 12, 2018, 09:44:42 am
its still running 18.1.6 (almost the same config as in Post https://forum.opnsense.org/index.php?topic=4979.msg25066#msg25066  )

just changed
Code: [Select]
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

to
Code: [Select]
route-nopull
route 10.4.0.0 255.255.0.0 10.4.0.1

but thats only working when you know the ipaddr/net and gateway of your VPN Provider

Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: karotte2000 on April 12, 2018, 10:44:57 pm
@NilsS Thanks for your message. I tried out adding a route manually like you described (Advanced Options in VPN Client configuration) and now my system feels more deterministic again; I could check "Don't pull routes" and "Don't add routes" and it still works. Now I can tweak rules. Thank you!
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: quirkyferret on April 24, 2018, 01:31:24 am
Following these instructions, I had this working in Jan.. but then I wanted to bring on another interface, set up a DMZ. I then had some issue with traffic not routing appropriatly- it looks like I'm not the only one who ran into something like this, reading through the last few pages. I disabled the VPN client, and got the second interface working.

I've decided I want to tackle this again, ran through all the updates so i'm on 18.1.6. I can confirm the VPN client shows as up, I've followed the rules- but now I apparently can't get any traffic out through the VPN- no matter what host I add, (tried some VMs and some bare metal in case there was something weird I was missing), all traffic appears to hit my phyical interfaces, rather than the virtual VPN interface.

edit: I missed a basic troubleshooting step. After a reboot, I could now send from my VPN alias out through the VPN.. along with all of my other traffic. Rereading the other issues people experienced, it experimented with the flags for don't pull routes /don't add or remove routes'

With 'don't pull routes' unchecked, and 'don't add or remove routes' checked.. everything appears to work.  Thought I'm not sure exactly how confident I am in this.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: jo3rg on May 21, 2018, 01:34:02 pm
I can confirm that:
Code: [Select]
With 'don't pull routes' unchecked, and 'don't add or remove routes' checked.. everything appears to work.
also did the trick for me.
Thanks a lot everybody and regards
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: jafinn on May 28, 2018, 09:31:29 am
I got this working with 17 but after a crash and re-installation of 18 I can't get it to work anymore.

I tried multiple instructions for setting up a VPN Killswitch for both OPNsense and pfsense but I couldn't get any of them to work. I tried setting it up myself and it seems to be working.

Here's how it's set up on OPNsense 18.1.8:

 1. I created an alias for computers restricted to VPN

 2. Turned off gateway switching (not sure if this is needed)

 3. Created pass firewall rule on LAN interface
   - source "VPNalias"
   - gateway VPN
   - set local tag "VPN"
   - everything else as default

 4. Created floating rule
   - action "reject"
   - "quick" checked
   - interface WAN
   - direction out
   - match local tag "VPN"

 5. Create outbound NAT rule (hybrid mode)
   - interface VPN
   - source address "VPNalias"
   - translation/target "interface address"

As far as I can tell this setup blocks traffic when the VPN goes down but it seems so simplistic compared to any of the guides I followed. Am I missing something?
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: andreab on May 29, 2018, 03:14:17 am
Hi,

Maybe it's just me, but I can't get this to work!

I can connect to the openVPN server, that is never been a problem.

I created a subnet 10.55.59.0/24, whose hosts are the only ones which should go through the VPN.

When I connect to the VPN, the router itself goes through the VPN (which it should not).
You can see from traceroute below:
Code: [Select]
root@routy:~ # traceroute 8.8.4.4
traceroute to 8.8.4.4 (8.8.4.4), 64 hops max, 40 byte packets
 1  c-46-246-84-1.ip4.frootvpn.com (46.246.84.1)  34.104 ms  33.843 ms  33.998 ms
 2  178.73.195.97 (178.73.195.97)  35.006 ms  34.265 ms  34.585 ms
 3  be-1.cr1.sto2.se.portlane.net (80.67.4.208)  35.372 ms  35.370 ms  35.383 ms
 4  72.14.216.118 (72.14.216.118)  34.637 ms  34.987 ms  34.275 ms
 5  108.170.253.161 (108.170.253.161)  35.504 ms
    108.170.254.33 (108.170.254.33)  35.479 ms  35.283 ms
 6  216.239.58.43 (216.239.58.43)  34.759 ms
    72.14.236.85 (72.14.236.85)  34.908 ms
    74.125.37.157 (74.125.37.157)  34.624 ms
 7  google-public-dns-b.google.com (8.8.4.4)  34.819 ms  34.505 ms  35.023 ms


The dafault gateway is correct (10.55.50.1), but somehow it goes through the openVPN one.
Code: [Select]
root@routy:~ # netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          46.246.84.1        UGS      ovpnc1
default            10.55.50.1         UGS        igb0
[..]



Hosts in other subnets (other than the VPN one), cannot get on the Internet:
Code: [Select]
root@willy:~# traceroute google.com
traceroute to google.com (172.217.22.174), 30 hops max, 60 byte packets
 1  routy.home (10.55.55.1)  0.200 ms  0.170 ms  0.179 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *

I've attached the NAT/outbound rules, as I'm pretty sure I'm doing something wrong there, as I don't really know what they should look like (10.55.59.0/24 is colour coded "black").
I found rules along those lines in some "random" tutorials, and a pfsense tutorial from 4 years ago! :-/

I tried both Hybrid and manual NAT rule generation (plus all sorts of combinations). No luck!

If anyone can give me some hints, it would be much appreciated.

Regards,
Andrea
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: blackdwarf on June 01, 2018, 02:33:33 pm
Just in the process of migrating from pfsense and this capability is absolutely necessary for me, and I can't get it to work (set up in exactly the same way my pf box was). Currently running 18.1.9. Is there any progress on this (preferably making it easier to set up somehow)
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: conanTheRouter on June 18, 2018, 06:49:26 pm
It seems that I have got things working, tunneling the specific IP.

But I cannot get the other clients to reach Internet. When selecting "Manual outbound NAT rule generation", the list was empty. Shouldn't I have more rules then just the three?
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: omf on June 19, 2018, 05:31:48 am
I just got this working using a fresh OPNsense install (18.1.6).  In the VPN client configuration, you definitely want to leave "Don't pull routes" unchecked and check "Don't add/remove routes".

I do have the DNS problem that some people mentioned, though.  Basically, from the machine I'm forcing to go through the VPN tunnel, I am able to ping addresses on the Internet, but DNS look-ups fail. 

Using Wireshark, I see the DNS requests go out from the client to OPNsense, but I never see a reply.

In the OPNsense log, I see the DNS request come in from the client, and then a DNS reply seems to come from the OpenVPN client IP assigned to the interface.

If I manually configure my client machine to use another DNS server (e.g. 8.8.8.8), then everything works.

I'm using the default DNS server - "Unbound DNS" - so the next thing I'll be trying is to use Dnsmasq instead.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: tibere86 on July 05, 2018, 01:28:53 am
Updated to 18.1.11 and am still having issues getting OpenVPN (PIA) working like I had it on pfSense.
I hope this How-To gets updated to include detailed instructions on how to route specific traffic over VPN on OPNsense 18.1.X.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: Nismanoke on July 09, 2018, 05:43:00 am
Hi all,

I had the same problems with dns. (error_resolv_name)

I followed the manual from NilsS on page 2 on top. At first it wasn't working, after i placed the firewall rule autocreated by the port forward rule on nat section of firewall and restarted my openvpn clients everythinf started working.

I have noticed that after each change in the firewall, gateway and interface section the openvpn clients have to be restarted in order to get it working.


Hope some more people get it up and running now.


Update:
Now after half an hour i get connection time out. When i restart the openvpn client (s), everything starts working again for a few minutes and then i get the connection time out again. Bumber

Think i'm reverting to pfsense, got it working there before. Wanted to try out opnsense but can't find something to get it working. A lot of people are complaining over this that from some version on a bug or something causes problems.

Maybe opsense developers can look into this and post a guide how to policy based routing with openvpn client gateway (group) or a workaround.
Would like

greetings,
Nismanoke
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: ThePOO on July 10, 2018, 05:31:18 am
Perhaps look at https://forum.opnsense.org/index.php?topic=8998.0 as a possibility .... I don't know if the method there gets the job done, but it's maybe worth a look.

And, I agree ... there should be a reliable, official method documented for opnsense.   I, too, had a bullet-proof, leak-proof vpn set up in pfsense and have not been able to do that in opnsense.    I really like opnsense and the developers are spot-on with where the product is going.    Perhaps, at some point, they'll look into this and come up with a similar bullet-proof method ... x'ing fingers.

I've been watching this topic and the topic, in the link above, hoping someone definitively solves this.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: M4DM4NZ on July 11, 2018, 03:27:17 am
Hey Guys,

M4DM4NZ here, wow this HOW-TO I started over a year ago has had some major viewing, so i figured I better keep you all up to date with my current configuration.

Sorry i haven't been on here posting much, life stuff gets in the way of geek stuff now and then...

Anyway, I recently had issues with my VPN dropping out a few months ago and figured I better update opnsense to a more current version as I've been using 17.something for a while now.

I cant say exactly what i did, but from memory I've backed up my current config from 17.x and restored it overtop of a clean install of 18.x

I do recall some funky things happening as it wasn't a smooth transfer and involved a lot of trial and error test.

So... I'm gonna go over my current working config soon and post some settings here once get home from work.

Thank you all for your effort in keeping this thread active, and big thanks to conanTheRouter and NilsS for maintaining my How-To and adding some cool functions.

Keep you all posted soon with config updates :)



Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: Patpop on July 16, 2018, 08:35:14 am
Any progress on this? Woud really like to switch from pfsense to opnsense ut this is holding me back from switching. Thx
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: jds on August 17, 2018, 08:07:22 pm
I don't have much experience with opnsense, but after some communications with tech support at PIA,
it was eventually possible to get this working.  I did not read all of the problems you were having above (sorry),
but can tell you that only some small subset of settings will work, and not all are documented.  In fact,
they even recommend something that definitely does not work.   My settings are:

System -> Trust -> Authorities:
---------------------------------------
I added an authority called PIA-4096, and pasted this size key from PIA and saved.


VPN -> clients:
-------------------
Server mode: Peer-to-peer (SSL/TLS)
protocol: UDP4
device mode: tun
interface: WAN
Remote server: <my favorite PIA server> 1197
infinitely resolve remote server is enabled
<add your credentials to PIA>
Peer Certificate Authority: PIA-4096
Client Certificate: None
Encryption algorithm: AES-256 CBC (256 bit key,128 bit block) <this must match the same certificate, and must be CBC>
Auth Digest Algorithm: SHA-256 (256 bit)
No Hardware Crypto Acceleration
Compression: enabled with adaptive compression
Disable IPv6 is checked
Advanced:
    persist-key;
    persist-tun;
    remote-cert-tls server;
    reneg-sec 0;
    auth-retry interact

I may have forgotten some details, but if you ask will look them up in my working setup.

Hope this helps.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: bevigilant on August 24, 2018, 12:05:45 pm
Removed my post as I have all this working now. I disabled DNS resolver on the OPNSENSE box and spun up a pihole VM. Set that as DNS in the DHCP options and all works fine now.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: tomrwaller on August 28, 2018, 03:27:15 am
Urgh - just migrated from pfSense and having the exact same issue.

Anyone have any update? I'm also running AirVPN in the UK. With my alias firewall rule in place, my system loses internet connectivity. When I disable the rule (and the device goes out the normal WAN rule) everything works as normal.

VPN is connected - verified in the GUI and also through the AirVPN site.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: tomrwaller on August 28, 2018, 11:58:27 am
OK - it seems to be working for me now.

I had to uncheck the following settings in the OpenVPN client settings:


With those two settings unchecked, policy based routing works.

I'm seeing some weird issues with DNSSEC as well. For some reason, with DNSSEC enabled, some sites never resolve. As soon as I disable DNSSEC, they resolve just fine.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: mimugmail on August 28, 2018, 09:18:50 pm
I somebody can borrow me an account I can try to make an official guide, but I'm not willing to pay something for what I'm not using.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: tomrwaller on September 02, 2018, 02:34:31 pm
Hi all.

Just to follow up on my previous post.

DNSSEC actually wasn't at fault. It seems that even with the VPN up and the Unbound outgoing interface set to that of the VPN WAN, DNS still resolves as if it were configured for the WAN - meaning there were DNS leaks all over the show.

I had to use a custom server option in Unbound to get this to work - far from ideal but I will wait for the fix to come in for the GUI. Just to re-iterate, this has all worked flawlessly in pfSense for years. It's a shame it is not quite the same in OPNSense.

Unbound custom server settings are (where x.x.x.x is the IP for the VPN DNS server you wish to use:

forward-zone:
    ## Fix for VPN DNS.
    name: "."
    forward-addr: x.x.x.x@53
    forward-addr: x.x.x.x@53
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: Wombat on September 05, 2018, 03:22:23 am
First, I cannot find a "HOWTO - Routing Traffic over Private VPN"  in the docs.opnsense.org site.  Thought it might help me with my VPN for which I will raise a new topic.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: John Beer on October 02, 2018, 09:59:34 pm
I have been banging my head against a wall trying to get an AirVPN OpnSense gateway setup to work, with the help of this thread, and i think i might have stumbled across a bug/unexpected behavior that might explain some of the problems that people in this thread are having. The problem became apparent when trying to use policy-based routing to selectively send only some LAN traffic through the VPN tunnel.

In a nutshell, OpnSense seems to set the default gateway of the VPN interface (the one displayed under System/Gateways/Single, NOT the default gateway of the linux interface ovpnc1) to the subnet mask, leading to broken policy-based routing through that interface. I have reproduced the issue on a fresh 18.7.4 install inside a virtual machine, the steps i took are as follows:


After setting up outbound NAT for the VPN interface created in step 6, LAN packets that are sent through it via policy-based routing are routed to the 255.255.255.0 address, leading the system to silently drop them. If the gateway IP for the interface is manually set to the one pushed by the AirVPN server (as taken from the OpenVPN log file), everything works as expected and LAN traffic is successfully routed through the VPN.

The OpenVPN server attempt to push the following interface settings:
openvpn[79283]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.5.10.1,route-gateway 10.5.10.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.5.10.5 255.255.255.0,peer-id 1,cipher AES-256-GCM'.
I assume the ifconfig command breaks OpnSense's parsing, leading to the subnet mask being mistaken for the gateway IP. The system interface ovpnc1 on the other hand has both its IP and gateway set correctly, as one would expect from seeing openvpn[51343]: /sbin/ifconfig ovpnc1 10.5.10.5 10.5.10.1 mtu 1500 netmask 255.255.255.0 up in the OpenVPN log.

Changing the IPv4 Configuration Type for the VPN interface from None to DHCP results in a VPN_DHCP interface being created instead of  VPN_VPNV4 , also with Gateway and Monitor IP set to 255.255.255.0.

I have not reported this as a bug as i'm not fully sure that the issue isn't with my configuration. Feel free to move the post to a better location, this thread just seemed the most relevant place to post it.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: apiods on October 22, 2018, 03:05:58 pm
Hi, thanks to this thread, and information from other sources, I was able to get a VPN running as I wanted:

- Fresh install of 18.7.5_1
- LibreSSL firmware
- VPN provider: AirVPN
- Wanted to route selected hosts (on different VLANs) out via the VPN, with general traffic using the default WAN.
- DNS leak test reported ok

So far, so good  :)
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: tibere86 on December 13, 2018, 07:39:55 pm
Have these VPN routing issues been resolved? This thread has not had a lot of traffic in a couple of months. I have attempted many times to setup selective routing through PIA VPN on OPNsense without any luck.
Hoping someone will post an update tutorial on how to accomplish this.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: mimugmail on December 13, 2018, 08:06:39 pm
Screenshots of Gateways, Gateway group, Firewall Rule and outbound Nat
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: PaoPao on December 17, 2018, 01:40:49 pm
Here are the pictures of my configuration.
However I am not sure that it works as 100%.

I just noticed that the floating rule doesn't work (:

Are there any other errors in the configuration?
(Except copy errors in the filter descriptions)

Gateway (Single)
(https://up.picr.de/34601123vj.png)

Gateway (Group)
(https://up.picr.de/34601117eq.png)

Outbound
(https://up.picr.de/34601118my.png)

Floating rules
(https://up.picr.de/34601119rs.png)

LAN rules
(https://up.picr.de/34601120li.png)

I also use Pi-Hole (Raspi) with Outbound DNS over TLS.
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: tibere86 on December 17, 2018, 06:57:07 pm
Here are the pictures of my configuration.
However I am not sure that it works as 100%.
What is in your "N_LOCALNETS" Alias? Mind sharing a screenshot?
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: PaoPao on December 18, 2018, 02:30:23 pm
Hi,

here the screenshot:
(https://up.picr.de/34608823fe.png)

If you want the floating rule to work check this option:
Uncheck [ ] Skip rules when gateway is down
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: rdofl on December 31, 2018, 11:59:50 am
Edited - I've posted my question in a new thread (https://forum.opnsense.org/index.php?topic=10849.0).
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: HA4g3n on January 09, 2019, 08:49:08 pm
 Hello,

Im been reading several posts about OPNsense and OpenVPN.
Im getting local DHCP clients getting routed throuh the VPN and its working.

But, i need to PortForward traffic over external VPN to a machine inside the LAN that uses static mapping but i really cant make it work..

Ill posty my config:

VPN:
Infinitely resolve remote server - Ticked
Don't pull routes - Unticked
Don't add/remove routes - Ticked
UDP enabled

Systsem\Gateways\Single:
WAN_GWv4 (default)   WAN

Port Forward:
OpenVPN:
TCP/UDP
NAT reflection - Enabled
Filter rule association - Rule Nat

Firwall\Settings\Advanced:
Reflection for port forwards - Ticked
Reflection for 1:1 - Unticked
Automatic outbound NAT for Reflection - Ticked

Running OPNsense 18.7.10-amd64

OVPN over openVPN.
WAN 172.22.1.4 - Edgemax 172.22.1.4 - ISP
LAN 192.168.1.2
VPN    10.128.64.xx Puiblic 185.x.x.x

Any tip is welcome
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: TaceN on January 18, 2019, 11:57:05 pm
Hey,

thanks for a great guide. Works perfect connecting through VPN.

I just have a question that I can't really figure out.
Is it possible to setup this functionality like this.

I'm using a Unifi USG router with two WAN ports.
I'd like to connect the computer running OPNsense to my CPE (port 1, seperate IP) and use a usb network adapter which is connected to my USG WAN2.
I'll also connect my USG to the CPE (port 2, seperate IP). on WAN1.

My noob knowledge of this .. will it work routing through my usg. Tell devices to route through the OPNsense machine through my network of the USG. It can listen and see both WAN-ports.. so, my logic tells me it works. But what should I do in opnsense?

Wold be wonderful to get a hint of how.

Thanks
 
 / T
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: netizen on February 06, 2019, 04:25:44 pm
Hello all!

I have a slightly different requirement in mind. I am not into torrents however routing via VPN is probably what is needed to do the following:

- Assume a server I have root access to, sitting in a DC
- Assume a small subnet assigned to that server from the DC
- Assume a high-speed DSL connection at home
- What I want to do is use those IPs (say in web or email server) with the latter sitting at my home network. Not in the server at the DC.

Can this be done?
Excuse my ignorance. I am fairly knowledgeable in configuring devices like PfSense but only for LAN devices that directly connected to the LAN of the firewall. What about this remote setup?

Any help is much appreciated!
 
Title: Re: HOWTO - Routing Traffic over Private VPN
Post by: TaceN on February 11, 2019, 08:35:10 pm
Hey all,

I'm about to lose it soon throwing my firewall out the building.
I've done everything the guide says. The vpn connection works fine but I can not get any internet out or through the vpn.

Can someone please have a look at the screenshots and tell my if something is wrong?

Version: 19.1

Thanks