Messages

I have an openvpn server set up, and i have it set up so that all client traffic is routed through the VPN.

Long story short, I want almost all client traffic routed over the VPN with a few specific exceptions, such as do not route xxx.yyy.com over the vpn, and if that's not possible, i can specify ip addresses, instead of hostnames, but it's just one more thing to keep track of if i move one of my cloud services to another cloud provider.

what's the best way to achieve this?

so i already have a reverse proxy on my docker stack, i'm running traefik.

However I want to put nginix as a reverse proxy in front of it.  I basically want to reverse proxy my mail server and have it split off on opnsense than rely on my docker stack being up.

so my goal is as follows
1.) Any traffic that is going to *.domain1.com to have nginix relay that traffic to my dockerhost to let traefik figure it out.
2.) any traffic that is going to mail.domain2.com have nginix relay that to my mail host which is a separate server.

I have never used nginix and using the opnsense plugin has me a little confused since none of the write ups i've found translate over 100%

Service > Unbound DNS > General > Advanced > Outgoing Network Interfaces

Thank you this worked.

You also put me on the path to find another workaround, per this pfsense article
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html

i create a lan gateway, and a static route to pass any traffic to the vpn remote side over the lan gateway, which is also working.

Ahhh, ok, so i was confused about what you said because i was like i can't even run a ping from my opnsense box, but i just did

Code Select Expand

ping -S 192.168.102.1 192.168.3.35, and low and behold it worked and now i think i follow.

I guess what i don't understand is why this doesn't work, is this an ipsec issue? or an opnsense issue.  i thought it worked when i was running pfsense, but i could be wrong.

I just went through the config options in opnsense and no, nothing useful there to bind the source address.  unsure if there are any options in unbound itself that i could manually edit in a config. 

I tried a stab at a few variations of outbound nat rules, so far no luck with anything.

any device on my network can pass traffic across my ipsec tunnels just fine, but for some reason my opnsense box can't pass any traffic across the tunnel itself, i only discovered this trying to figure out why my opnsense unbound can't forward dns queries across the vpn.


i'm on OPNsense 22.7.7_1-amd64, and it's a relatively fresh install, i just set up the box and built my old tunnels, and put in a few port forwarding rules so far.

EDIT: forgot to add, these are policy based tunnels connecting to pfsense on the remote side.  This worked fine when my local firewall was pfsense.