HOWTO - Routing Traffic over Private VPN

[ligand]

Hi Everyone,
Wanted to share a configuration option to help with port forwarding.  My setup:

Interfaces
WAN
VyprVPN
LAN

Thanks to this thread I was able to get Transmission to route out of the VPN interface instead of the WAN interface.  However, Transmission reported that my peer listening port was closed.  I setup port forwarding on the VyprVPN interface to forward inbound traffic to my Transmission host but it didn't work.  After doing a bunch of  tcpdumps, I found that inbound traffic entered the VyprVPN interface but left using the WAN interface. 

I also have an OpenVPN server setup and found a rule in the OpenVPN server rule in that ruleset was affecting my Transmission traffic.   The rule is the one that allows for all traffic to enter OpenVPN (see attachment).  If I disabled the rule then all traffic to and from Transmission went over the VPN.  If the rule was enabled, then I experienced asymmetric routing.  I found that if I unchecked "apply rule immediately" then my routing worked as expected.  :-). Hope this helps.

[immto]

Hello everyone and thanks to you all and especially M4DM4NZ for getting this thread going years ago.  That said I do have a couple issues I'm still ironing out and I'm trying to really understand this.  The original How To said to create a rule for port 500.  Was that a thing back in 2018 because I can't see any reason why I would need this rule.  Any thought on that? 

Also Thank you

Hello,

i hope someone can explain me the implications / correct settings of the openvpn client configuration Don't pull routes and Dont add/remove routes

Every VPN Provider seems to have different settings here.

NordVPN
Don't pull routes               -> Unchecked
Dont add/remove routes    -> Checked

AirVPN
Don't pull routes               -> Checked
Dont add/remove routes    -> Unchecked

PIA
Don't pull routes               -> Unchecked
Dont add/remove routes    -> Unchecked

Can someone please help here?
Thx!

That is what really helped me get this going.  Nowhere is it mentioned that these settings are so important, but they are.  The VPN providers don't even seem to mention them.   

[chenks]

hi, sorry to bump this thread, but i'm a new opnsense user and just looking to check if the instructions at the start of this thread (from 2017) will allow me to do what i'm trying to achieve.

i'm new to opnsense, but not new to basic network config and tinkering with config.

i've added my nordvpn account to opnsense as a vpn client (using https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-19-1-setup-with-NordVPN.htm although stopped at the unbound part), and it's showing as connected (albeit no traffic actually routing thru it just now).

i want to route either specific URLs or specific LAN clients thru the VPN (ie not ALL traffic), i believe this will probably be policy based routing?

example
i want to route all traffic from 192.168.50.10 thru the VPN
i want to route any device accessing www.blah.com thru the VPN

i also don't want any DNS leak

[andyblac]

I am having this issue, is theres a known fix yet ?

thanks
andrew

[perrfect]

Hi Guys,

Below is a step by step guide to configuring Opnsense 17.1.4 to route LAN traffic out via your private VPN provider.
(In my case, AirVPN)

I have a setup where I want all computers on my LAN to have a direct connection to the Internet, but "Some" computers I want connected to the VPN *cough torrenting cough *

Hello. Thank you for your article. It really works.
How about Multi WAN?
When we have two OpenVPN clients and two LANs.
LAN1 - VPN1
LAN2 - VPN2
If VPN1 is off, all traffic from LAN1 should go via VPN2.

[beneix]

Hello,

i hope someone can explain me the implications / correct settings of the openvpn client configuration Don't pull routes and Dont add/remove routes

Every VPN Provider seems to have different settings here.

NordVPN
Don't pull routes               -> Unchecked
Dont add/remove routes    -> Checked

AirVPN
Don't pull routes               -> Checked
Dont add/remove routes    -> Unchecked

PIA
Don't pull routes               -> Unchecked
Dont add/remove routes    -> Unchecked

Can someone please help here?
Thx!

I am also confused about this - trying to set up a VPN client for PIA, but since I only want certain clients to go via this interface, I was thinking that also for PIA I should check "Dont add/remove routes". Am I wrong?

[beneix]

Step 7.

 - Navigate to Firewall > Aliases > View
 - Add a new Alias
 - Name: VPNTraffic
 - Description : VPNTraffic
 - Type: Host:
 - First entry: 192.168.X.X

NOTE: (enter the IP address of Computers/devices you want to be on the VPN here. I personally enter the IP address of my Wireless router I have attached to my LAN, The wireless router has DHCP enabled so all wireless devices connected to this access point have their traffic passed via the VPN )

Something seems to have changed since the OP - there is nowhere to put "First entry". I have a field "Content", but there I can only choose between a list of other aliases. There is also a "Categories" field.

Where should I enter the ip address(es)?

[Hoererser]

Hello everyone and thanks to you all and especially M4DM4NZ for getting this thread going years ago.  That said I do have a couple issues I'm still ironing out and I'm trying to really understand this.  The original How To said to create a rule for port 500.  Was that a thing back in 2018 because I can't see any reason why I would need this rule.  Any thought on that? 

Also Thank you

Hello,

i hope someone can explain me the implications / correct settings of the openvpn client configuration Don't pull routes and Dont add/remove routes

Every VPN Provider seems to have different settings here.

NordVPN
Don't pull routes               -> Unchecked
Dont add/remove routes    -> Checked

AirVPN
Don't pull routes               -> Checked
Dont add/remove routes    -> Unchecked

PIA
Don't pull routes               -> Unchecked
Dont add/remove routes    -> Unchecked

Can someone please help here?
Thx!

That is what really helped me get this going.  Nowhere is it mentioned that these settings are so important, but they are.  The VPN providers don't even seem to mention them.

Many things can be a waste of your effort, but a helping hand is not.

[ligand]

Hi All!
I had to redo my VPN configuration and found that these settings work for VPN configurations other than wireguard. 

https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

Hope this helps.