NAT or Firewal rules for 2xOpenVPN Client connections?

[Gargamel]

Hi.
I have setup 2 openvpn clients in my opnsense router.
Which is the best way to redirect certain IP's in my LAN side, to go to one openvpn connection, and everything else goes thru the other. And a certain IP or two directly to WAN(xbox, sonos webradio)?

I have tried to setup 2 NAT rules, but this seems to behave strange on my side, such as:
* All goes thru one openvpn.
* None get thru at all.
* Gets thru but webgui of opnsense is blocked.

Usually, it just "stops working" if i make a firewal rule, telling "this ip" should go thru "this openvpn" (when all goes thru the other) for the ip.

So how would i best go around seting this up, so i can easilly specify "all go here, but not x/y/z who goes to there, and H,G goes to WAN"?

[NilsS]

Hi,

I think you refer to https://forum.opnsense.org/index.php?topic=4979.msg26514#new

If you connect to a VPN Provider they push a default route to you, so the last VPN you connect to is your default route if you don't prevent that using

Code: [Select]

route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
in the advanced section of your VPN client.

Just add this to the connection you don't want your regular traffic over, and use policy routing like you mentioned above.
Be sure to have the rule for the policy routing before your general allow rule

[Gargamel]

With the

Code: [Select]

route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
is the 64.0.0.0 192.0.0.0 meaning to route that lan over "net_gateway", and in each client i have to change "net_gateway" to what the openvpn client is called?

[NilsS]

Its just the way to override the defaultgateway from the openvpn page
https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway

[Gargamel]

Okey.
I'll check this when i get home for the weekend.
I know my VPN service uses 10.220.0.0.
So i assume i change one of those lines (or add?) route 10.220.0.0 10.0.0.0 net_gateway?

[robvh]

Look at https://forum.opnsense.org/index.php?topic=5921.0
When you add dnat commands to the advanced client properties of your openvpn clients, you can assign alternative route addresses, and two or more gateways that can work simultaneously.  Next you use rules to direct traffic to one of those gateways.

[Gargamel]

thanks i think i got it working.
However when i run "dig +short myip.opendns.com @resolver1.opendns.com"
I get a timeout on my workstation that is set to use the other openvpn connection without the public ip.
The server that runs over the public ip openvpn connection can dig and get the correct ip.

Hi,

I think you refer to https://forum.opnsense.org/index.php?topic=4979.msg26514#new

If you connect to a VPN Provider they push a default route to you, so the last VPN you connect to is your default route if you don't prevent that using

Code: [Select]

route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
in the advanced section of your VPN client.

Just add this to the connection you don't want your regular traffic over, and use policy routing like you mentioned above.
Be sure to have the rule for the policy routing before your general allow rule