Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Routing specific networks over multiple independent VPNs
« previous
next »
Print
Pages: [
1
]
Author
Topic: Routing specific networks over multiple independent VPNs (Read 2895 times)
seb101
Newbie
Posts: 4
Karma: 0
Routing specific networks over multiple independent VPNs
«
on:
August 15, 2021, 01:04:10 pm »
Hi all,
I'm once again considering migrating my x86 hardware router over to OPNsense from OpenWRT. Can someone help me understand if all the following feature is possible to implement in OPNsense?
What I have is several networks and have each network routed over several different connections to the internet via multiple VPN Tunnels. I.e. Network A default route is over WAN (standard), Network B default route is VPN 1, Network C default route is VPN 2. In effect this is the same as having multiple 'WAN' connections, but rather than using for fail-over, using them for specific internal networks.
A couple of other requirements:
- Some networks will still use the 'raw' non-VPN WAN
- Traffic must be two-way routable (i.e. inbound connections to the remote endpoint IP of a VPN tunnel must route to the matching network internally).
- Implementation must be strict - ALL non-local traffic goes over the requisite VPN connection. If the specific VPN for that network is down, it simply fails.
I've seen this post here:
https://forum.opnsense.org/index.php?topic=4979.0
however this is different as it deals with just routing specific IPs over a VPN. I want to have whole networks routed over a specific VPN.
To acheive this in OpenWRT you have to create a secondary routing table and allocate the appropriate network to that routing table, i.e.:
1. Create secondary routing table VPN_A
2. Set the default route for VPN_A to the gateway IP and interface id of the VPN 'A' tunnel interface
3. Assign the local network to be routed to VPN 'A' to new the VPN_A routing table
Thanks.
Logged
errored out
Full Member
Posts: 171
Karma: 3
Re: Routing specific networks over multiple independent VPNs
«
Reply #1 on:
August 15, 2021, 10:44:06 pm »
Freebsd does not use multiple routing tables as with linux. I have heard (although not see proof) it is possible to have freebsd with multiple routing tables. But either way, it would not be supported.
What your looking for is called policy based routing. You would use that term or pbr when searching the documentation / forum. There is quite a bit of information on the topic and can become complex very fast.
«
Last Edit: September 01, 2021, 01:24:27 am by errored out
»
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Routing specific networks over multiple independent VPNs
«
Reply #2 on:
August 16, 2021, 12:42:19 am »
Don’t see why this is not doable. You would need to assign a gateway to each VPN tunnel and use that in the firewall rules for each internal network.
This how-to, while related to a WG VPN, may be helpful:
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
I don’t see any distinction between guides for specific IPs vs whole networks? After all, a network is just a group of IPs.
Logged
seb101
Newbie
Posts: 4
Karma: 0
Re: Routing specific networks over multiple independent VPNs
«
Reply #3 on:
August 16, 2021, 11:42:59 am »
Thanks.
Read through a few posts on the topic. It looks like people have quite not solved it as there appears to be a stumbling block if the internal IP of the VPN connection is dynamic (as it is with my VPN provider) meaning the IP of the Gateway can change dynamically (and has to be automagically updated in the PBR firewall rules when it happens).
https://forum.opnsense.org/index.php?topic=9277.0
This is also a challenge in OpenWRT and you have to add some scripting to hotplug.d to ensure the route table is updated with the
current
gateway IP whenever the VPN interface goes up. Is it possible to edit hotplug scripts in OPNSense to fix the PBR rules in a similar fashion?
Logged
seb101
Newbie
Posts: 4
Karma: 0
Re: Routing specific networks over multiple independent VPNs
«
Reply #4 on:
August 16, 2021, 11:55:59 am »
Although this may have been fixed very recently...
https://forum.opnsense.org/index.php?topic=22348.0
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Routing specific networks over multiple independent VPNs
«
Reply #5 on:
August 16, 2021, 12:37:33 pm »
Not sure whether it makes a difference with non-WG tunnels, but as noted in the how-to mentioned above, the IP chosen for the gateway is essentially arbitrary and is not tied to the endpoint VPN IP. Would that solve the issue?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Routing specific networks over multiple independent VPNs