route Client (Computer) traffic over VPN and destination traffic Question

[snakeyes75]

Hi all, Any help would be appreciated. I was finally able to setup my VPN to Surfshark. I am able to route all traffic from my LAN to the VPN. But I would like to do two things:

Route a client connected out the VPN (IP address 10.1.1.98 to go the VPN Gateway)

All traffic that is say to espn.com to go out the VPN gateway (any traffic from the LAN).  I plan on setting up a different VPN for this connection.

[viragomann]

I was finally able to setup my VPN to Surfshark.

Which type of VPN?

Did you assign an interface to the VPN instance?

[snakeyes75]

Yes, I have a VPN Interface.  I am using Surfshark VPN client setup.  If I change the gateway all traffic is sent to it.  I tried adding another rule to send only the source IP to the Gateway but it does not work.  Additionally, I am still trying to also figure out how to route all traffic specific destination IP to the firewall only.   On my previous firewall (Untangle - Rista), all I did was create a rule for destination IP=x.x.x.x route the VPN Gateway.   I am not sure what I am going wrong.

[viragomann]

I am using Surfshark VPN client setup

Surfshark isn't a VPN protocol, but a product. They may support some of the protocols, OPNsense has included.

Anyway, if you have already an VPN interface you can route traffic to it with policy-routing rules (filter rules with a gateway stated).

To limit a rule to upstream traffic only, it's best practice to create an RFC 1918 alias of type network and add all private network ranges to it.

Then to route the upstream traffic of a certain source IP, just create a firewall rule on the LAN or which interface the client is connected to, specify the source IP, check "Destination / Invert" and state the RFC1918 alias. Go down to Gateway and select the VPN gateway. Put this rule to the top of the rule set (above of the allow any or other destinations rule).
The alias with "invert" ensures, that the rule only matches other destinations than RFC 1918 networks. So the client can still access other local subnets if any.

To route traffic to certain destinations over the VPN, also create an alias for these destinations. When creating hosts aliases you can state host names (FQDNs). OPNsense will resolve them and add the IPs to the table.
Use this alias as destination in a policy-routing rule then as described above. Also move this rule up above of an any-destination rule, to ensure that it is probed before.

[snakeyes75]

HI...that was the key, all I had to do was move it up to the top.