HOWTO - Routing Traffic over Private VPN

[Koldnitz]

Do you have something like this in your firewall rules (these are first three firewall rules on my router)?

I do not see why you would be unable to ssh into something inside your network if you yourself are inside your network (with the correct rules enabled).

across_milwee is a firewall group which includes all my subnets by the way.

I am able to connect to an IP that is routed through my vpn connection from any browser(https) in my network (macmini, ipad, or PC; both on wifi and hardwired).

I usually am on the same subnet with all my devices but I have connected from a different subnet as well.

I do not think these rules do anything other than route all internet traffic through the VPN for the IP addresses you set it up too.

A lot of this is supposition, but if you think about how the rules are working, they are not for blocking traffic from an IP inside you network to another IP inside your network. 

You might need to ask someone who is more initiated at the ins and outs of firewall rules to help you, if already have these anti-lockout rules set up on your vpn subnet (they are usually only made automatically on your install interface / subnet; I think).

Cheers,

[Broodjeworst]

Hi Koldnitz,

And thanks again! the addition of some extra rules (well basically the same as your example) did the trick!
I only had autogenerated DHCP rules and the rules from the "howto" so it was quite logical that my connection attempt failed.

Thanks a million!
:D

[Broodjeworst]

Hi again :)

So with help of Koldnitz I was able to get my setup running (thanks!),
however after some testing I did find some odd behaviour (I think) the connection seems to be dropping intermittently, I think this is also what Koldnitz experienced when he mentioned:

"I turned off sticky connections and now I sometimes use both interfaces together (much faster). 
Fail over only randomly worked before and I have set it up to reconnect randomly to my VPN servers every 8 hours."

So I was wondering what do I need to change in order to do this? Turning off sticky is just deselecting a tick box however I'm not sure how to use both VPN connections simultaneously in order to increase speed and set the random reconnect every X hours.

[Koldnitz]

This is how I reconnect.

I test my dns leakage here https://ipleak.net/

I tried it again over the weekend (when I first read your post) and as far as I can tell I do not have any leakage.

As always your mileage may very.

Cheers,

[Broodjeworst]

Great thanks!

The vpn connections are currently configured in a group (as described in the settings of NilsS), so if one of the two in the group goes down the other takes over.
In my case I think that load balancing is a bit to enthousiastic and I need to increase the sticky timeout.

Update:
Seems that if I set both vpn connections in the loadbalancing group to Tier1 (as opposed to tier1 and tier2)  it does work.

There is one thing I don't get though, the configuration defines 3 gateway groups and only the load balancing group  is used in the rules, the two failover groups are not referenced is that correct?

Thanks allot!

[kosta]

I hope this is a right place to post.
I have PIA VPN and trying to get it to work via OpenVPN.
What I basically want: route none but specific machines through PIA.

I've read most of this thread, and in the essence, I can either:
- have a full tunnel and everything going through the VPN or
- nothing

I tried various combinations with the boxes set in the Client-Connection (Don't pull routes and Don't add/remove routes), first, second or both checked.
NAT is configured manually, I have created both NAT for the LAN net and localhost net.
I created a rule saying IPv4* LAN net over PIA_VPN gateway.

Yet, I get the ISP-IP when querying the IP over internet.

And the same thing happens when I try doing it the other way: everything over VPN, except client x. In that case, the client remains in the VPN, although the rule is in place.

Where do I start troubleshooting?

Small edit:
I found out that if I use a "Don't pull routes" configuration, and both NAT and rules as needed, I can't browse... but I figured I can ping.  Apparently resolution isn't working... so, how do I get DNS to work?

From the log:
2021-02-16T21:04:16   openvpn[76240]   Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])   
2021-02-16T21:04:16   openvpn[76240]   Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])   
2021-02-16T21:04:16   openvpn[76240]   Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])   
2021-02-16T21:04:16   openvpn[76240]   PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.0.0.243,route-gateway 10.32.112.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.32.112.224 255.255.255.0,peer-id 2,cipher AES-128-GCM'

[wallaby501]

I hope this is a right place to post.
I have PIA VPN and trying to get it to work via OpenVPN.
What I basically want: route none but specific machines through PIA.

I've read most of this thread, and in the essence, I can either:
- have a full tunnel and everything going through the VPN or
- nothing

I tried various combinations with the boxes set in the Client-Connection (Don't pull routes and Don't add/remove routes), first, second or both checked.
NAT is configured manually, I have created both NAT for the LAN net and localhost net.
I created a rule saying IPv4* LAN net over PIA_VPN gateway.

Yet, I get the ISP-IP when querying the IP over internet.

And the same thing happens when I try doing it the other way: everything over VPN, except client x. In that case, the client remains in the VPN, although the rule is in place.

Where do I start troubleshooting?

Small edit:
I found out that if I use a "Don't pull routes" configuration, and both NAT and rules as needed, I can't browse... but I figured I can ping.  Apparently resolution isn't working... so, how do I get DNS to work?

From the log:
2021-02-16T21:04:16   openvpn[76240]   Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])   
2021-02-16T21:04:16   openvpn[76240]   Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])   
2021-02-16T21:04:16   openvpn[76240]   Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])   
2021-02-16T21:04:16   openvpn[76240]   PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.0.0.243,route-gateway 10.32.112.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.32.112.224 255.255.255.0,peer-id 2,cipher AES-128-GCM'

This will be basic and quick but I believe I got it.

1) Configure your aliases- just whatever you want to put behind a vpn.
2) Configure your client- this varies between VPN providers but the stickler is leaving don't pull routes unchecked but do check "Don't add/remove routes".
3) Add the interface- don't change defaults- just add it.
4) NAT outbound- make it hybrid and then add a rule

• VPN interface
• Source- your VPN alias for what is behind it
• NAT Address- VPN interface (I did not leave this as Interface Address)

5) Firewall rule on LAN that is pass, IPv4, direction in, vpn alias as source, sent out the VPN gateway, then expand advanced and set local tag NO_WAN_EGRESS or other. This rule needs to be above your default LAN pass rule.
6) I like this one just in case- firewall rule on LAN above #5- reject, ipv4 tcp/udp, source is your vpn alias, dest is LAN address, port 53 (or select DNS). This will block VPN clients from your internal DNS just in case.
7) Firewall rule on floating- Reject, IPv4, direction out, source and dest are any, gateway is your normal WAN gateway. Expand advanced and on Match tag put NO_WAN_EGRESS (or whatever common thing you want- we are just matching the tags for policy routing.)


Going off memory but I believe that is it. You can test for dns leaks while it's up with whatever client you want that is in your alias list. Should ping, have DNS, etc. If you are assigning clients into a certain subnet (which I do), you can set them statically in your VPN alias range AND set their DNS options there like using OpenDNS or other. Or set them on the client itself- whichever works.

I tested for leaks and found it worked. Then I set a constant ping and confirmed it was going out properly. From there I disabled the VPN tunnel and having 2 windows on the GUI I could see that the firewall blocked it as it was catching the NO_WAN_EGRESS floating rule. Enabled the client, ping did not start going through because I think the state was kept. In any case, restarted the ping fine and then did another dns leak test and it was confirmed good.

[Flamez]

I just switched over from pFsense and I am really liking OPNsense very much.   I was wondering if there is an updated working guide for routing certain traffic over NordVPN using alias?

I really appreciate any help you can provide.

Thank you.

[Dantichrist]

I've been trying to get this to work off an on for a couple of weeks.

How do you get around the error "Policy based routing (gateway setting) is only supported on inbound rules." when you try to specify the gateway on the outbound LAN rule? I tried to get around it by putting in the outbound LAN rule under floating rules but it still doesn't work. The box(s) that I want to go through the VPN still show the WAN IP.

Nevermind. I made an inbound rule using the VPN gateway and it works.

[darthaffe]

Hi,

I had a VPN working like this in the past but it broke a while ago after an update. After failing to get it to work i completely removed everything and set it up again, but I can't get it to work.

The VPN is connected and the interface is up, I can also ping devices behind the VPN from the opnsense diagnostics but not from any device on the LAN. DNS resolve for names in the VPN is working (I have no idea why that is working and pinging/connecting not). The routes are also pushed correctly and appear in Routes -> Status.
The logs look fine but it seems like responses are lost somewhere.

I've added the NAT Outbound rules and the LAN rule as seen in the attachments.

Looking forward to any hint :)

[jarm64]

I made a walk thru here.. https://thehotelhero.com/opnsense-protonvpn-setup that works for me.

[crissi]

Hello,
have a question regarding the openvpn client tunnel configuration, specific regarding the setting Dont add/remove routes as some VPN Guides suggest to enable mark this setting.

When i enable the setting, my VPN Client Connection stops working, when i disable the setting, the Tunnel comes Up and start to work again.

What should be the correct setting here?

Any Idea?

Thx!

[a4p474]

I'm posting a quick solution for those with a DNS failure using Policy Based Routing (or just VPN in general).

I set up a fresh opnSense install.
I set up a VPN per this tutorial: https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-19-1-setup-with-NordVPN.htm
   The only deviation I have is on Step 13, for a PBR.  Instead of routing all LAN through the VPN, I set up a rule to only send a subset (addresses below 192.168.x.y/z)

I had all the same issues of others in which IPs not going through the VPN were just fine but those going through the VPN could ping and text, but not "connect".

After hours of searching, I came across this tutorial: https://homenetworkguy.com/how-to/configure-opnsense-firewall-rules/
I added a firewall rule for DNS (port 53) and put it at the top of my Firewall -> LAN -> Rules list.

Voila.  It's currently stable for me at the moment.

[crissi]

Hi,

Merry Christmas Everyone 😊

I have a question to NAT – Outbound Rules regarding the correct and secure configuration. I set Outbound Rules to manual, and choose the specific VPN Clients as Interface and Source to LAN, VLAN1, VLAN2 etc, so the Clients in the different Networks go over the different VPN Tunnels, that's fine.

But I was wondering, how should Loopack networks, 127.0.0.0/8  (when switching to Hybrid or Automatic) NAT Rule generation be handled correctly. Should they also be defined when set Manual outbound NAT rule generation?

What is also not clear for me yet, under Firewall – Rules – Loopback there are  2 automatically generated rules to pass all looback requests (IPv4 / IPv6) source / destination is Any, is there anything to define manually to be sure that the VPN is not leaking somewhere?

Thx!

[crissi]

Hello,

i hope someone can explain me the implications / correct settings of the openvpn client configuration Don't pull routes and Dont add/remove routes

Every VPN Provider seems to have different settings here.

NordVPN
Don't pull routes               -> Unchecked
Dont add/remove routes    -> Checked

AirVPN
Don't pull routes               -> Checked
Dont add/remove routes    -> Unchecked

PIA
Don't pull routes               -> Unchecked
Dont add/remove routes    -> Unchecked

Can someone please help here?
Thx!