How to route everything from lan going over VPN.

[novel]

Yes , It working, but I disabel wan_dhcp to work. It is not correct way...How to fix it?

For me, this is not the proper way. Maybe just a matter of mind, I don't know, never tried / tested this...
Connection to VPN is now still established... but what will happen after connection loss / reboot? Without WAN GW OPNsense WG client will not be able to connect... will it?
Changing priority instead of disabling WAN GW would be better, but -as said maybe a matter of mind- not the righteous way to go...

Normally  gateway must automatically when enable or disable the vpn, but in my case not happen. So I have to change to 253 the vpn gateway?

I changed to 253 but it doesn't work.  The only correct way is to find the correct way to change automatically.

Can I ask you something? Monitor IP 8.8.4.4 what is it?

Now with vpn enabled Can I use only tcp 443 with ISP wan?

[tiermutter]

Lower value for priority is correct, yes.
But you also need to mark WAN DHCP as upstream GW.


Monitor IP for your VPN GW is a google DNS IP. OPNsense / dpinger will ping trhis IP periodically to determine whether the gateway is up or not. I prefer public IPs for this case since adding VPN endpoint IP here does not mean that connection to WAN over VPN is working. It is just diagnostics, but this IP will also ALWAYS be routed over VPN gateway, regardless of other configurations.

Unsure about your last question... what do you mean?

[novel]

Patrick M. Hausen

Please help......Now I have vpn established.  With vpn enabled can I use TCP 443 https to using wan from my ISP ???

How can I do that?

[Patrick M. Hausen]

I don't understand.

[novel]

I don't understand.

Whole lan works with vpn right? All traffic goes to vpn, not my ISP public IP.

Now I want to make a rule ( I think with nat ) only for TCP 443 https to using public IP from my ISP not from vpn.

Do you understand what I want to do?

[Patrick M. Hausen]

Rule on LAN, destination port 443, gateway WAN_DHCP.

[tiermutter]

... placed before your existing "default allow" with gateway set to your VPN.

Why do you want that rule? Sure you only want non-443 traffic to go through VPN?
May I ask what your purpose is?

[novel]

Rule on LAN, destination port 443, gateway WAN_DHCP.

Thank you very much. I appreciate your help.

Thank you very much Patrick! :)

[novel]

... placed before your existing "default allow" with gateway set to your VPN.

Why do you want that rule? Sure you only want non-443 traffic to go through VPN?
May I ask what your purpose is?

I want this rule because some sites I can't reach them. They want ip only from my country. Do you understand why it is very important for me this rule?

[tiermutter]

Ok, but... You initial mission was to route everything via VPN due to limitations of your country... Now all https will go through WAN, with only a little part going through VPN...?!
Would ne better to put those "some sites" into an alias and only route them via WAN...

[novel]

Ok, but... You initial mission was to route everything via VPN due to limitations of your country... Now all https will go through WAN, with only a little part going through VPN...?!
Would ne better to put those "some sites" into an alias and only route them via WAN...

Yeah, this choice is better, but I cannot figure out how to do it. What I have to choose in section destination?

[tiermutter]

First create an alias where you put in all sites you want ro reach via WAN.
Then go to last created rule where WAN GW is set and put the alias as destination.

[novel]

First create an alias where you put in all sites you want ro reach via WAN.
Then go to last created rule where WAN GW is set and put the alias as destination.

In section firewall > alias ...I tried to created a list but I didn't make it.  Do you have any example?

Then where do i have to go?

[novel]

Lower value for priority is correct, yes.
But you also need to mark WAN DHCP as upstream GW.


Monitor IP for your VPN GW is a google DNS IP. OPNsense / dpinger will ping trhis IP periodically to determine whether the gateway is up or not. I prefer public IPs for this case since adding VPN endpoint IP here does not mean that connection to WAN over VPN is working. It is just diagnostics, but this IP will also ALWAYS be routed over VPN gateway, regardless of other configurations.

Unsure about your last question... what do you mean?

I would like to use dns over tls. I have already configure unbound over tls. So, I want vpn to use my configure NOT dns over google.
How to change that?  Can I fill blank the choice monitor IP ??? Or I have to put the same IP . I mean gateway IP     10.217.30.1 and monitor IP     10.217.30.1

[tiermutter]

Monitor IP does not mean that this will be used as DNS server. Simply don't care about this ;)
You can put any public IP here if you want...