Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
OpenVPN Client PBR
« previous
next »
Print
Pages: [
1
]
Author
Topic: OpenVPN Client PBR (Read 3123 times)
rfeng33
Newbie
Posts: 12
Karma: 0
OpenVPN Client PBR
«
on:
December 19, 2020, 09:05:47 pm »
I'm trying to setup my OPNSense box as a VPN client to a commercial VPN provider. I have installed the config file from the provider and have the VPN connection up. I have added manual outbound NAT rules specifying the specific ports I want to go through the VPN tunnel. When I initiate a connection utilizing those destination port I've specified to go through the tunnel (using an alias) the connection works but it doesn't go through the VPN tunnel.
Any suggestions I'm sure it's something silly I'm missing.
Logged
marcquark
Full Member
Posts: 103
Karma: 5
Re: OpenVPN Client PBR
«
Reply #1 on:
December 19, 2020, 09:58:27 pm »
besides the outbound NAT rules, have you put firewall rules in place that match that specific traffic and use the VPN as gateway rather than the default gateway? it's under advanced options in the firewall rule.
Logged
rfeng33
Newbie
Posts: 12
Karma: 0
Re: OpenVPN Client PBR
«
Reply #2 on:
December 19, 2020, 11:00:30 pm »
Yes I did.
Here are my firewall rules:
https://imgur.com/a/f6FMl7g
. I want to have my IOT VLAN the only one using it for devices off that LAN VLAN on those ports.
Here are my NAT rules:
https://imgur.com/a/HVKfsQs
Logged
rfeng33
Newbie
Posts: 12
Karma: 0
Re: OpenVPN Client PBR
«
Reply #3 on:
December 20, 2020, 03:02:44 pm »
I played around with this a bit this morning. I had the VPN client set not to pull routes. Once I do that, I can get traffic through the VPN tunnel but it appears that it sends ALL traffic through, even though I have just the outbound nat set the way I explained and I only have my IOT VLAN set out send traffic out the gateway.
Logged
marcquark
Full Member
Posts: 103
Karma: 5
Re: OpenVPN Client PBR
«
Reply #4 on:
December 20, 2020, 05:00:19 pm »
hmm that looks alright.
just for clarity, do you have an assigned interface for your openvpn client or is your NAT rule scoped to the OpenVPN group? i actually don't know whether NAT rules work for interface groups. so you might want to try assigning the interface and adjust your NAT rule then try again.
can you add logging to the firewall and NAT rules to see whether they match?
Logged
rfeng33
Newbie
Posts: 12
Karma: 0
Re: OpenVPN Client PBR
«
Reply #5 on:
December 20, 2020, 07:22:14 pm »
I do have the OpenVPN instance assigned to an interface. I’m not sure what you are saying about the NAT and interface groups?
Logged
rfeng33
Newbie
Posts: 12
Karma: 0
Re: OpenVPN Client PBR
«
Reply #6 on:
December 20, 2020, 10:22:36 pm »
I did a search and filtered on the destination ports I'm trying to move through the VPN. I get connectivity but I never see the rules show up in the firewall log when I filter based on them. I've confirmed the port is correct from my server and a connection is established (this if from a netstat on the server):
tcp 0 0 192.168.32.2:59276 x.x.x.x:25461 ESTABLISHED.
The application works but I never see the traffic flow through the VPN tunnel. Here are my rules currently in pfTop that relate to this, I don't know if that helps:
pfTop: Up Rule 1-122/122, View: rules
RULE ACTION DIR LOG Q IF PR K PKTS BYTES STATES MAX INFO
109 Pass In Log Q ix1_vl tcp K 0 0 * route-to ... inet from (ix1_vlan32) to any port = 826 flags S/SA
110 Pass In Log Q ix1_vl udp K 0 0 * route-to ... inet from (ix1_vlan32) to any port = 826
111 Pass In Log Q ix1_vl tcp K 0 0 * route-to ... inet from (ix1_vlan32) to any port = 25461 flags S/SA
112 Pass In Log Q ix1_vl udp K 0 0 * route-to ... inet from (ix1_vlan32) to any port = 25461
Logged
rfeng33
Newbie
Posts: 12
Karma: 0
Re: OpenVPN Client PBR
«
Reply #7 on:
December 21, 2020, 01:40:55 am »
I also tried applying a mark to the traffic and that didn’t do anything either.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
OpenVPN Client PBR