Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
VPN without pull routes enabled
« previous
next »
Print
Pages: [
1
]
Author
Topic: VPN without pull routes enabled (Read 2881 times)
agrumpyhermit
Newbie
Posts: 18
Karma: 2
VPN without pull routes enabled
«
on:
January 08, 2020, 12:07:13 am »
I am trying to use PIA VPN service with "Don't pull routes" checked. With that unchecked it works as expected. My goal is to be able to use firewall aliases/rules to direct what traffic uses the VPN and what doesn't, rather than having all traffic sucked into the VPN. I'm using 19.7.8. I didn't find my answer from reading the many threads on here and PF. I've read the HOW TO thread 4979 at least 4 times.
I created a new VPN client and it connects fine. I then setup an interface for it to name it and left the interface enabled. No other interface settings touched. I also created an alias for PC's to use the VPN and verified the alias in pfTables. I haven't touched the DNS settings, which are pointed to PIA's servers already.
NAT - I have 4 new rules with the new interface. 2 have Source = 127.0.0.0/8 and one of those has destination port = 500 with static port checked. The other 2 new NAT rules have Source = VPN alias list and one is port = 500/static. All 4 are at the top of the list.
On the 2nd two rules, I have experimented with changing the source to LAN net and my LAN interface group. I did that b/c the working VPN's NAT source = (LAN interface group name) net. Neither has worked.
System>Gateways>Single shows the interface as online. I have no Gateway groups yet, though if I can get this working I plan to with multiple VPN client gateways for load balancing & failover.
Firewall>Rules>LAN - At the top of the list I put a pass/in/IPv4 rule with the new VPN client gateway set. I've tried setting source as the VPN alias list, LAN net, Group-name net. I have tried this rule with source variations on the interface group rules too, where I would prefer it be.
I have 3 Floating rules. The top one is pass any direction, IPv4* to destination LAN-group net, with "*" for the source, ports, and gateway. The 2nd is pass any direction IPv4 TCP/UDP to all "*". The 3rd is the same as the 2nd, except ICMP instead of TCP/UDP. I don't recall if or why I set these rules, probably a few years ago. I disabled the top rule with no noticable impact. If I disable the bottom, ICMP rule, my connection cuts in and out every other second. If I disable the middle, TCP/UDP rule, I lose my connection and OPNSense gui. I have to ssh in and reload all services to get the gui back. Sometimes I briefly get the VPN connection after reload, but not consistently. I lose the gui again within a minute or two.
I tried adding a floating rule for the VPN on top of the TCP/UDP rule and got almost the same as disabling the TCP/UDP rule. The difference was that I couldn't get the GUI back by reloading services. I SSHed in and restored a config from 20 minutes prior. That's when I came to ask for help.
Is there a better way to achieve my goal of controlling VPN traffic and disabling pull routes? I don't care if I can't make it work the way I've been trying so long as I can get it to work. Or can someone please identify where I went wrong and teach me how to fix it?
Logged
agrumpyhermit
Newbie
Posts: 18
Karma: 2
Re: VPN without pull routes enabled
«
Reply #1 on:
January 21, 2020, 02:07:34 am »
I decided to start over with a fresh install. I still can't get it to work.
With my network and basic firewall rules setup (GeoIP and some blacklists on WAN), I created aliases for which networks need the VPN and which don't. I also created an alias for sites I'd prefer to not got through the VPN. I have no floating rules except the automatic ones.
I setup one standard OpenVPN client to PIA and left "Don't pull routes" unchecked. I put PIA's DNS servers in system>settings>general, and set up the NAT/outbound rule for it. It worked as soon as I turned it on. No other firewall rules at all. But, that pulls all traffic on my network through PIA.
I cloned the original OpenVPN client, changing only the name and pull routes box, and created/enabled a new interface named 2PIA assigned to the cloned client. I cloned the NAT/outbound rule, changing only the interface to the new interface. I can leave the client on and it stays connected with no traffic going through it, as it should be at this point. I can see that the new interface is getting an IP in system>gateways>single.
I used a group interface to include every other local interface that is supposed to go through PIA. On it, I created two firewall rules. On top: pass ipv4*, source=pia networks alias, destination=VPN bypass websites, gateway=WAN. 2nd rule is: pass, ipv4*, source=pia network alias, destination any, gateway=2PIA interface.
When I enable the firewall rules everything covered by the alias stops going anywhere. They won't even route to internal servers. Browsers say "looking up... xyz.com" until they time out. The VPN bypass sites don't work either. I tried using IP addresses instead of names thinking it might be DNS but still nothing. Other devices on the same interfaces, but not included in the alias, are unaffected. So my alias list seems to be working. I had double checked it in pfTables.
I did try changing the source on those two rules to their "interface net" also and still got the same result, except everything attached to the interface was impacted (as expected).
If any of you can help me leave my VPN on to selected traffic only I would greatly appreciate it.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
VPN without pull routes enabled