OpenVPN Settings

[mlenje]

I have OPNsense v 25.1.3 running with Wireguard/ProtonVPN and DNS Crypt. When I am on my internal LAN, I receive an IP from ProtonVPN and do not have any DNS leaks.

I have OpenVPN setup to access my LAN from outside my network. Whenever I connect via OpenVPN, however, I receive the external IP address of my WAN, not my ProtonVPN. Is this something I can change? DNS Crypt appears to be working while connecting via OpenVPN, but my IP is that if my Internet provider.

Thoughts?

[newsense]

Assuming everything is configured correctly, go in Rules - OpenVPN and send the traffic to the desired gateway, else by default it will leave on WAN

[mlenje]

The firewall Rule for the OpenVPN Server interface was set to the following:
TCP/IP Version: IPv4+IPv6
Gateway: Default

If I try to change the Gateway to the ProtonVPN/Wireguard interface, I get an error saying "You can not assign a gateway to a rule that applies to IPv4 and IPv6"

If I change TCP/IP Version to IPv4 only, then I can change the Gateway to the ProtonVPN/Wireguard interface, but when I connect a remote device via OpenVPN, I cannot access the network or access the internet.

[viragomann]

You need to split the rule into an internet part with the gateway and a second to allow access to local subnets.

For the internet traffic, it's best practice to create an alias of type network and include all private network ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to it.
Then use this alias as destination in the gateway rule with "invert" checked. Ensure that this rule is on the top of the rule set.

Add a second rule to allow access to you local subnet. You can also use "any" as destination here.

For internet access you also need to add an outbound NAT rule for the OpenVPN tunnel network to the ProtonVPN interface.

[mlenje]

Thank you!  It works now.