[Solved] Opnsense 20.7.3 and PIA VPN

[s4rs]

I am trying to get Opnsense to route certain IPs on my network to PIA VPN. I have the OpenVPN client setup and connected and assigned as a gateway. I can't get traffic from my LAN to PIA Gateway. I looked a many guides and nothing. To verify I check one of the Whats my IP websites on the client I am trying to route and it shows my ISPs assigned address instead of the PIA address. Any suggestions to what to look for and what I might be missing.

Pictures below:

Gateway info and state



Alias for the a system I want to route. Once this starts working I will add more IPs



Firewall -> NAT -> Outbound



Firewall -> Rules -> Lan



VPN -> OpenVPN -> Clients -> Don't pull routes




Followup 01-01-21

I see a few come across this post and have questions. First if things don't work post your config so people can help.

Since I posted this I noticed things I missed mentioning in the original post which I think will help.

First: Gateway Priority. Check it, and make sure your ISPs priority is higher than your VPNs priority. Higher means lower value. I now set my ISP Gateway priority to 250, and add 2 to any VPN added. Adjust as necessary.



Just an observation. when you setup PIA Wireguard (use Johnny's excellent script https://github.com/FingerlessGlov3s/OPNsensePIAWireguard) a Nat Outbound Automatic rule is created. No need to do anything. However if you do use OpenVPN then create a Hybrid as described in all the HowTo's. I have both setup to test, and don't see any difference between the two. I do have to say Wireguard VPN performance on a standalone Linux system is better than Opnsense Wireguard. Probably the difference between Userspace and Kernel implementations.



Speaking of Wireguard, make sure when the interface is added you set the MSS (Maximum Segment Size) to 1380.Not sure why this isn't negotiated at connect time, but its not and your performance will suffer. Johnny does mention this, but I wanted to reinforce the point.



Finally I want to mention the Kill Switch. Somehow I kept missing adding to the tag to the Lan rule and matching the tag to the Wan Floating rule. You will probably have to hit the Advanced Show/Hide to see the field. Again I just wanted to reinforce this.

Create Local Tag in Lan rule for your Aliases



Finally the Wan Floating Match Local Tag set to block VPN destined traffic if the VPN goes down.

Match Local Tag. Remember to click on Advanced Show/Hide



The Block Rule

[l0stnyc]

Under Manual Outbound Nat Rules, the source should be the subnet, in this case 10.10.3.0/24.

Interface PIA_OVPN
Source 10.10.3.0/24

Then in your firewall rules, use PIA as the gateway under the LAN rule allowing traffic out.  In other words PIA_VPN_Traffic as the source, destination any, and set the gateway to use PIA.  This rule should be above the default allow all.

[s4rs]

10.10.3.0/24 is my incoming OpenVPN (Opnsense OpenVPN server network) not the PIA Outgoing (Client) network. I have OpenVPN server setup so I can come into my network.

[l0stnyc]

Okay, it should be your LAN subnet, whatever it is.

[s4rs]

The source is the alias I created for the single address 192.168.1.235

[l0stnyc]

I'm not sure then.  I run the same set up except a few differences not worth mentioning.

[s4rs]

Looks like when I set up any Outbound NAT rule to PIA_VPN it fails. Any help with this setup?

[s4rs]

bump

[paul_a2]

So if I understood correctly PIA_VPN_Traffic is the IP_addresses that should go to VPN, the rest should go over WAN. On high level it should be like this:

WAN outbound:
Interface: PIA_OPVN_VPNV4, Source PIA_VPN_Traffic - allow everything from IPs to go over VPN
Interface: WAN, Source: Any (or LAN) - Allow everything else to go to WAN

LAN rules:
Protocol IPv4 (both tcp/udp), Source: PIA_VPN_Traffic, Gateway: PIA_OPNVPN_VPNV4
Protocol IPv4 (both tcp/udp), Source: LAN, Gateway: WAN_DHCP

First rule routes PIA_VPN_Traffic ips traffic over PIA VPN GW. Second rule routes the rest from LAN to WAN_DCHP GW. Note that here the rule order matter; it takes first rule first and matches, then next etc.

[s4rs]

Paul,
        Thanks for the update. But isn't what you described how I have things setup? Can you see the screen shots I posted?

[paul_a2]

Not sure what the the one rule to port 500 does, but yes looks correct (I have set it other way around; specific IPs go to WAN, others to VPN). I would maybe specific LAN to go to WAN_DHCP, not to * - but I just like to keep things tidy.

Try checking "Skip rules when gateway is down" under Firewall->Settings->Advanced and "Gateway monitoring". If you read it it behaves like anti-kill switch and I noticed many times devices estabilished routes over WAN gw before VPN GW came up -> stayed on that until I did a manual firewall reset.

After that try putting your laptop into PIA_VPN_Traffic list; do you get IP from DHCP, and if you do can you do a dns lookup? If you can then doesn't ipleak.net show correct aka PIA IP?

[littlepepper]

Port 500 is usually for IPSEC.. if you are using OpenVPN you shouldn't need it.

Not sure what the the one rule to port 500 does, but yes looks correct (I have set it other way around; specific IPs go to WAN, others to VPN). I would maybe specific LAN to go to WAN_DHCP, not to * - but I just like to keep things tidy.

[l0stnyc]

In addition to what has already been stated, is the Deny PIA_Traffic to WAN really necessary?  Don't see that you have any logging enabled and that would be the same as default deny all traffic, no?  If you change the source to LAN Net instead of your alias does it work?

[s4rs]

In addition to what has already been stated, is the Deny PIA_Traffic to WAN really necessary?  Don't see that you have any logging enabled and that would be the same as default deny all traffic, no?  If you change the source to LAN Net instead of your alias does it work?

Thanks for the comments. The Deny PIA_Traffic to WAN is supposed to block PIA_Traffic from going out the WAN if the PIA VPN goes down.

I have logging turned on for the PIA rules but never see anything. I tried any for PIA and it doesn't work. Still going over the WAN. Its as if the PIA Manual rules are not being implemented. Any other suggestions?

[Gauss23]

This is a manual which I used to do what you want to achieve:
https://www.reddit.com/r/PFSENSE/comments/6edsav/how_to_proper_partial_network_vpn_with_kill_switch/

It's for pfSense but it's really easy to adopt it.