Multiple VPN client tunnels & bypass rules

[PersonMan]

Hello all,

After having used an Asus router for the last few years, I've recently moved over to OPNsense.
At this point, I have a basic, working installation and i currently have 2 OpenVPN client tunnels (let's call them VPN1 and VPN2) configured and connected successfully.

I'm currently routing all WAN conectivity for my network traffic through VPN1 via an outbound NAT rule (i assume this is the best way to acheive this?).

The idea is to have a catchall rule that ensures no network device accesses the internet "naked" (unless i set exception rules). The catchall rule (which is currently working) directs all Internet traffic through VPN1.

What i would like to do is to have some exception rules, to direct specific devices on my network to access the internet directly through the WAN or through VPN2 (depending on what rules are in place), rather than VPN1.

When i enable a second outbound NAT rule (which i've placed above the VPN1 rule) one of 2 things seems to happen;
   1) The test device i've specified in the bypass rule continues to go through VPN1, ignoring the rule entirely.
   2) I lose internet connectivity to the whole network, even though all interfaces (WAN and VPN) appear to still be running and connected.

I've also tried testing with floating rules; If i create one and set the gateway as WAN, then i can get that specified device to bypass the VPN and connect to the internet directly via the WAN interface. If i then change gateway on the same rule to the VPN, then that device loses Internet connectivity entirely.
 
This was fairly straight forward when i was using the Asus router. I'm sure it should be straight forward here as well but being a newbie to OPNsense i still have a bit to learn but at this point, i feel like i'm just kind of fumbling around blindly.

Most info online seems to be around setting up VPN server tunnels but I haven't really been able to find any info online discussing running multiple VPN client tunnels and directing different network devices to go through specific tunnels. I'm hoping that someone can offer some guidance or can point me to an article which explains how to configure this scenario.

Any help would be appreciated!

[Gizmo]

I'm having the same issue, both in terms of setup and lack of information on the topic of multi open VPN client tunnels.

The only glimmer of hope I found was potentially setting up another WAN then link second openVPN gateway and interface to that second WAN.

Yet to work it out.

I ended up with one tunnel working on LAN and OPT1, but the second tunnel wouldn't work on OPT2 and had a socket bind error, which prevented the tunnel connection.

[Patrick M. Hausen]

To route traffic a particular way depending on source instead of destination - so called policy routing - you would normally place an allow rule on LAN (or other internal interface) and explicitly set the gateway.

[Gizmo]

To route traffic a particular way depending on source instead of destination - so called policy routing - you would normally place an allow rule on LAN (or other internal interface) and explicitly set the gateway.

So I the issue I encountered using NordVPN, is openVPN gets confused as the certificate is the same for different servers.

So should there be one WAN or LAN per tunnel? or one gateway and one interface per tunnel?

Do you have any examples?

[Patrick M. Hausen]

I do not use VPN services, so no examples, sorry. For me VPN is a technology to access MY office or home networks while on the road or to connect offices.

You will probably need a separate VPN interface and gateway for each VPN. Then on a single LAN network you can use e.g.

Action: allow
Source: whatever matches the clients in question
Destination: any or whatever fits
Gateway: OpenVPN gateway #1

Action: allow
Source: whatever matches the clients in question but different from above
Destination: any or whatever fits
Gateway: OpenVPN gateway #2

etc.

Also outbound NAT for each VPN interface, so probably manual or hybrid NAT configuration.

[PersonMan]

Hey guys. I did end up finally getting this working. I think it was a combination of a couple of things.

Firstly, I had Firewall > NAT > Outbound set to "Hybrid outbound NAT rule generation". Which worked fine with one tunnel running but I think that the rules it was auto creating were conflicting when it came to splitting different parts of my network over different client tunnels.
So i changed this setting to "Manual outbound NAT rule generation"

When i had set the mode to "Manual outbound NAT rule generation", i would lose connectivity entirely. The reason this was happening is because when you change it to  manual mode, you need to create two sets of rules (an Outbound NAT rule as well as a matching Firewall LAN rule):

1. Outbound NAT catchall rule; This rule is set to cover my entire network and should be at the bottom of the rule list.
For example;

Interface: Choose the VPN interface you're using for your catchall
Source network: 172.21.0.0/16
Destination: ANY
Translation Target: The VPN interface you want to you as your catchall (this tunnel should already be configured and running).

Since i'm using Manual rule generation for my outbound NAT, i  will need a matching manually created LAN rule. And since this is my matching catchall rule, it should also be at the bottom of the rule list. 

So:  Firewall > Rules > LAN > + new rule
Interface: LAN
Source: LAN net
Gateway:  Choose the VPN interface you're using for your catchall.

At this point all your traffic should be going through your chosen catchall tunnel.

______________________________________
To add exceptions make sure you have a second VPN client tunnel already configured and running then:

Firewall > NAT > Outbound > + New rule

Interface: Choose the second / third / whatever VPN interface
Source network: The alias or IP of the device you want to re-direct. eg: 172.21.1.1/32 (ensure it's /32 if it's a single device you're splitting off)
Destination: ANY
Translation Target: Same as Interface

Then create a matching firewall rule.
Firewall > NAT > Outbound > + New rule

Interface: LAN
Source: Same as source in the outbound NAT rule (alias or specific IP of device you're diverting)
Gateway:  Choose the second / third / whatever VPN interface. Should be the same tunnel as what you selected in the interface field on your matching Outbound NAT rule.
 
That's it!



Make sure that any exception rules (in Outbound NAT as well as the matching LAN firewall rules) are placed above the catchall rules.
To avoid confusion about which Outbound NAT rule matches which LAN rule, having a good description that makes sense to you is important.

As an example, i do something like this:

Outbound NAT: "10-LAN VPN Catchall (Has matching manually created firewall/LAN rule)"
LAN: "10-LAN VPN Catchall - (Has matching Outbound NAT rule)"

The next rule above, would start with 20- then 30- etc

This way, as the number of rules increases, i can see pretty quickly get a sense of my rule ordering and the numbering will match both rule pairs.



Hopefully that all makes sense and i didn't make things even more confusing and that it guides someone else trying to do the same thing.