[SOLVED] Routing VPN and non-VPN traffic How-To?

[Noctur]

I need to set up a system with a portion of the service routed through a VPN (OpenVPN) and another set of IPs routed to by-pass the VPN. Both routes should still be inspected by the pf firewall and Suricata. The How-To section of the Wiki doesn't expressly show an example of this. Is there another example of how this is performed that someone could point me to? TIA

[M4DM4NZ]

Hi Noctur

I've been pulling my hair out trying to setup the same thing, have a look at this link:

https://wretmo.se/2016/01/24/how-to-setup-openvpn-client-on-opnsense/

AND this:

https://forum.opnsense.org/index.php?topic=4053.0

Let me know if you have any luck, I'm almost ready to give up :/

[Noctur]

Hi M4DM4NZ,

Yep, for most gurus here this is probably a simple matter. Maybe some will take pity and point us in the right direction.

I took a good look at your post. The first reference (wretmo.se) has another reference for a pfSense setup at the bottom of their how-to, http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/. That how-to is doing exactly what I (and maybe you) want to do - address a VoIP issue. I'll be looking at that one in depth one evening when I have time to experiment.

Thank you for your post! If I have any success I'll follow-up.

[M4DM4NZ]

Thanks mate,

Just checked my setting from the link you posted, still no luck but i'll keep trying.

Cheers

[M4DM4NZ]

Ok, I've worked out how to get this going, it took all day messing around with settings but heres what worked for me:

I took a screenshot of my Firewall>NAT>Outbound

you'll notice, im using an Alias called "ASUSRouter" that contains a single LAN IP on my network assigned to my Asuswifi router. meaning that any clients, eg mobile phones that are connect to that wifi, have their traffic routed through the VPN

Next up,

You need to edit your Firewall LAN rules,

After pulling my hair out for ages wondering why my settings wouldn't work, i discovered that NOTHING works without using an "Alias" for some weird reason. eg, I had a LAN rule that pointed all traffic on my 192.168.1.170(Asusrouter)to pass via the VPN gateway. but noooooo It doesn't work unless you create an alias to 192.168.1.170 and select the "alias" rather than manually punching in the "Single Host or Network" even though it means the same thing!.

So yeah, long story short, any IP i add to this "ASUSRouter" alias will be routed via the VPN, all other computers on my LAN NOT connected to that asus router pass directly out the WAN

Note: the order you have your LAN Rules in the list is IMPORTANT, from top to bottom i have my "Allow Asusrouter alias rule to VPN gateway" FIRST, then the rule below that is my IPV4* to WAN Gateway rule.

Also note, I dont have any rules under my VPN OR OPENVPN Tabs under Firewall>Rules.

Hope this helps

Cheers

[M4DM4NZ]

FYI, I've written up a detailed HOW-TO on this subject:

https://forum.opnsense.org/index.php?topic=4979.msg19771#msg19771