NAT or Firewal rules for 2xOpenVPN Client connections?

Started by Gargamel, November 02, 2017, 09:35:30 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 02, 2017, 09:35:30 AM
Hi.
I have setup 2 openvpn clients in my opnsense router.
Which is the best way to redirect certain IP's in my LAN side, to go to one openvpn connection, and everything else goes thru the other. And a certain IP or two directly to WAN(xbox, sonos webradio)?

I have tried to setup 2 NAT rules, but this seems to behave strange on my side, such as:
* All goes thru one openvpn.
* None get thru at all.
* Gets thru but webgui of opnsense is blocked.

Usually, it just "stops working" if i make a firewal rule, telling "this ip" should go thru "this openvpn" (when all goes thru the other) for the ip.

So how would i best go around seting this up, so i can easilly specify "all go here, but not x/y/z who goes to there, and H,G goes to WAN"?
November 02, 2017, 10:31:35 AM #1
Hi,

I think you refer to https://forum.opnsense.org/index.php?topic=4979.msg26514#new

If you connect to a VPN Provider they push a default route to you, so the last VPN you connect to is your default route if you don't prevent that using
Code Select

route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

in the advanced section of your VPN client.

Just add this to the connection you don't want your regular traffic over, and use policy routing like you mentioned above.
Be sure to have the rule for the policy routing before your general allow rule

November 02, 2017, 10:38:15 AM #2
With the
Code Select
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

is the 64.0.0.0 192.0.0.0 meaning to route that lan over "net_gateway", and in each client i have to change "net_gateway" to what the openvpn client is called?
November 02, 2017, 11:29:47 AM #3
Its just the way to override the defaultgateway from the openvpn page
https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
November 02, 2017, 11:42:29 AM #4
Okey.
I'll check this when i get home for the weekend.
I know my VPN service uses 10.220.0.0.
So i assume i change one of those lines (or add?) route 10.220.0.0 10.0.0.0 net_gateway?
November 03, 2017, 08:31:34 PM #5
Look at https://forum.opnsense.org/index.php?topic=5921.0
When you add dnat commands to the advanced client properties of your openvpn clients, you can assign alternative route addresses, and two or more gateways that can work simultaneously.  Next you use rules to direct traffic to one of those gateways.
November 04, 2017, 05:59:25 PM #6
thanks i think i got it working.
However when i run "dig +short myip.opendns.com @resolver1.opendns.com"
I get a timeout on my workstation that is set to use the other openvpn connection without the public ip.
The server that runs over the public ip openvpn connection can dig and get the correct ip.


Quote from: NilsS on November 02, 2017, 10:31:35 AM
Hi,

I think you refer to https://forum.opnsense.org/index.php?topic=4979.msg26514#new

If you connect to a VPN Provider they push a default route to you, so the last VPN you connect to is your default route if you don't prevent that using
Code Select

route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

in the advanced section of your VPN client.

Just add this to the connection you don't want your regular traffic over, and use policy routing like you mentioned above.
Be sure to have the rule for the policy routing before your general allow rule
Print
Go Up Pages1
User actions