Partial Network VPN Client Gateway Configuration

[moddingfox]

Hey Yall,

I recently(ish) setup OPNsense for my home network. My current configuration and initial use case was to have it run dhcp/dns for the network, provide port forwarding, and road warrior(openvpn) access into the network from some of my more portable devices. Thus far all of this has be pretty easy to get working due to the outstanding documentation and community knowledge in the wild. Recently I thought it would be cool to have a VPN gateway for a specific subset of host's outbound traffic on the network to be routed through a VPN on OPNsense. The idea being that some hosts need to use my ISP assigned IP for dynamic DNS updates or when the additional 10-50ms ish latency is not an acceptable trade off. For the most part setting up the client was pretty easy and followed the standard "Client[legacy] setup per documentation(Ill probs try the new Instances way later). But getting only specific hosts vs the whole network working was a bit off script and hard to find info around so I figured I'd share what extra bits I had to do to get working. Note I don't use ipv6 on my network nor is it in this setup as my ISP is only assigning ipv4 to me, so the below is only for ipv4 and assumes that you have no ipv6 traffic to leak.

First in "VPN->Clients[legacy]" ensure that "Don't pull routes" is enabled. Otherwise is seems the VPN will try to swallow all traffic on the network.

Second in "Interfaces->Assignments" make sure the VPN interface is assigned. If its not select it in the dropdown, give it a description, and add it. Optionally once your interface is created switch it it under your interfaces and enable "Block bogon networks".

Third (Optional but recommended) in Firewall->Aliases setup an alias containing ip's or alias's of the hosts you want to have use the VPN for outbound traffic. This is not necessary as your can create rules targeting specific hosts but makes adding and removing easier.

Fourth in "Firewall->NAT->Outbound" set the mode to "Hybrid outbound NAT rule generation"
Both rules will need use the interface you assigned for the VPN as the Interface and the alias created earlier for the source.
The first rule should set the destination port as 500. The second rule can just accept the defaults. These rules should be at the top of your list rule list.

Fifth in "Firewall->Rules->LAN" create a rule for inbound traffic to the LAN using the alias created earlier for the source and set the gateway to the one created by the VPN client setup(this should already exists).

As far as I have been able to test seems that if the VPN client is not connected than hosts configured this way loose access though I'm not currently able to attest exactly to what extent.