HOWTO - Routing Traffic over Private VPN

Started by M4DM4NZ, April 10, 2017, 01:34:53 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4 5 6 ... 9
User actions
March 13, 2018, 06:19:08 PM #45
I use local name resolving.

Anyway I don't think my problem is DNS related.
After having stopped pulling new routes from my VPN provider, every VLAN/subnet can go on the Internet freely.

The problem I have right now is that even the VLAN which should go on the Internet through the VPN only, does not go through the VPN tunnel.

So either I need to find a way to specify a different gateway for the "VPN VLAN", or I need to understand policy based routing.

So far I've been following this instructions by M4DM4NZ (BTW, thank you very much!!!), but if there is a better way (particularly now with 18.1.x) to achieve what I need, I'm all ears.

Regards,
Andrea

PS: is there a single place where to retrieve all FW rules? I have lots of subnets...
March 31, 2018, 07:11:26 PM #46
Hello All,

I've been watching this thread with interest as it's almost exactly what I want to do (uh, except I'm not using torrent, I'm just trying to get around some "geo-location" BS). I hoped that all questions and issues associated that have come up with the HOW-TO would be resolved in short order, but it's been over 2 weeks since the last post. Can someone provide an update on the status of this??

~S
March 31, 2018, 07:22:58 PM #47
Hi Seamus,

Unfortunately I made no progress since my last post.

Regards,
Andrea
April 10, 2018, 11:57:18 AM #48

Hello,
has anyone managed to run openvpn client (airvpn - nordvpn - etc) under opnsense 18.x?
April 10, 2018, 07:44:02 PM #49
I was trying to get (Nord)VPN running and route all LAN traffic through it but I can't get it working without pulling routes from the VPN Host, which in turn messes up my routing and all rules get "randomized"... is there any progress on this issue? Would it make sense to downgrade to 17.x?
April 10, 2018, 08:04:29 PM #50
have you guys tried the latest 18.1.6 yet? I haven't.
April 12, 2018, 09:44:42 AM #51
its still running 18.1.6 (almost the same config as in Post https://forum.opnsense.org/index.php?topic=4979.msg25066#msg25066  )

just changed
Code Select
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

to
Code Select
route-nopull
route 10.4.0.0 255.255.0.0 10.4.0.1

but thats only working when you know the ipaddr/net and gateway of your VPN Provider

April 12, 2018, 10:44:57 PM #52
@NilsS Thanks for your message. I tried out adding a route manually like you described (Advanced Options in VPN Client configuration) and now my system feels more deterministic again; I could check "Don't pull routes" and "Don't add routes" and it still works. Now I can tweak rules. Thank you!
April 24, 2018, 01:31:24 AM #53 Last Edit: April 24, 2018, 02:40:50 AM by quirkyferret
Following these instructions, I had this working in Jan.. but then I wanted to bring on another interface, set up a DMZ. I then had some issue with traffic not routing appropriatly- it looks like I'm not the only one who ran into something like this, reading through the last few pages. I disabled the VPN client, and got the second interface working.

I've decided I want to tackle this again, ran through all the updates so i'm on 18.1.6. I can confirm the VPN client shows as up, I've followed the rules- but now I apparently can't get any traffic out through the VPN- no matter what host I add, (tried some VMs and some bare metal in case there was something weird I was missing), all traffic appears to hit my phyical interfaces, rather than the virtual VPN interface.

edit: I missed a basic troubleshooting step. After a reboot, I could now send from my VPN alias out through the VPN.. along with all of my other traffic. Rereading the other issues people experienced, it experimented with the flags for don't pull routes /don't add or remove routes'

With 'don't pull routes' unchecked, and 'don't add or remove routes' checked.. everything appears to work.  Thought I'm not sure exactly how confident I am in this.
May 21, 2018, 01:34:02 PM #54
I can confirm that:
Code Select
With 'don't pull routes' unchecked, and 'don't add or remove routes' checked.. everything appears to work.

also did the trick for me.
Thanks a lot everybody and regards
May 28, 2018, 09:31:29 AM #55
I got this working with 17 but after a crash and re-installation of 18 I can't get it to work anymore.

I tried multiple instructions for setting up a VPN Killswitch for both OPNsense and pfsense but I couldn't get any of them to work. I tried setting it up myself and it seems to be working.

Here's how it's set up on OPNsense 18.1.8:

1. I created an alias for computers restricted to VPN

2. Turned off gateway switching (not sure if this is needed)

3. Created pass firewall rule on LAN interface
   - source "VPNalias"
   - gateway VPN
   - set local tag "VPN"
   - everything else as default

4. Created floating rule
   - action "reject"
   - "quick" checked
   - interface WAN
   - direction out
   - match local tag "VPN"

5. Create outbound NAT rule (hybrid mode)
   - interface VPN
   - source address "VPNalias"
   - translation/target "interface address"

As far as I can tell this setup blocks traffic when the VPN goes down but it seems so simplistic compared to any of the guides I followed. Am I missing something?
May 29, 2018, 03:14:17 AM #56
Hi,

Maybe it's just me, but I can't get this to work!

I can connect to the openVPN server, that is never been a problem.

I created a subnet 10.55.59.0/24, whose hosts are the only ones which should go through the VPN.

When I connect to the VPN, the router itself goes through the VPN (which it should not).
You can see from traceroute below:
Code Select

root@routy:~ # traceroute 8.8.4.4
traceroute to 8.8.4.4 (8.8.4.4), 64 hops max, 40 byte packets
1  c-46-246-84-1.ip4.frootvpn.com (46.246.84.1)  34.104 ms  33.843 ms  33.998 ms
2  178.73.195.97 (178.73.195.97)  35.006 ms  34.265 ms  34.585 ms
3  be-1.cr1.sto2.se.portlane.net (80.67.4.208)  35.372 ms  35.370 ms  35.383 ms
4  72.14.216.118 (72.14.216.118)  34.637 ms  34.987 ms  34.275 ms
5  108.170.253.161 (108.170.253.161)  35.504 ms
    108.170.254.33 (108.170.254.33)  35.479 ms  35.283 ms
6  216.239.58.43 (216.239.58.43)  34.759 ms
    72.14.236.85 (72.14.236.85)  34.908 ms
    74.125.37.157 (74.125.37.157)  34.624 ms
7  google-public-dns-b.google.com (8.8.4.4)  34.819 ms  34.505 ms  35.023 ms



The dafault gateway is correct (10.55.50.1), but somehow it goes through the openVPN one.
Code Select

root@routy:~ # netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          46.246.84.1        UGS      ovpnc1
default            10.55.50.1         UGS        igb0
[..]




Hosts in other subnets (other than the VPN one), cannot get on the Internet:
Code Select

root@willy:~# traceroute google.com
traceroute to google.com (172.217.22.174), 30 hops max, 60 byte packets
1  routy.home (10.55.55.1)  0.200 ms  0.170 ms  0.179 ms
2  * * *
3  * * *
4  * * *
5  * * *


I've attached the NAT/outbound rules, as I'm pretty sure I'm doing something wrong there, as I don't really know what they should look like (10.55.59.0/24 is colour coded "black").
I found rules along those lines in some "random" tutorials, and a pfsense tutorial from 4 years ago! :-/

I tried both Hybrid and manual NAT rule generation (plus all sorts of combinations). No luck!

If anyone can give me some hints, it would be much appreciated.

Regards,
Andrea
June 01, 2018, 02:33:33 PM #57
Just in the process of migrating from pfsense and this capability is absolutely necessary for me, and I can't get it to work (set up in exactly the same way my pf box was). Currently running 18.1.9. Is there any progress on this (preferably making it easier to set up somehow)
June 18, 2018, 06:49:26 PM #58
It seems that I have got things working, tunneling the specific IP.

But I cannot get the other clients to reach Internet. When selecting "Manual outbound NAT rule generation", the list was empty. Shouldn't I have more rules then just the three?
June 19, 2018, 05:31:48 AM #59
I just got this working using a fresh OPNsense install (18.1.6).  In the VPN client configuration, you definitely want to leave "Don't pull routes" unchecked and check "Don't add/remove routes".

I do have the DNS problem that some people mentioned, though.  Basically, from the machine I'm forcing to go through the VPN tunnel, I am able to ping addresses on the Internet, but DNS look-ups fail. 

Using Wireshark, I see the DNS requests go out from the client to OPNsense, but I never see a reply.

In the OPNsense log, I see the DNS request come in from the client, and then a DNS reply seems to come from the OpenVPN client IP assigned to the interface.

If I manually configure my client machine to use another DNS server (e.g. 8.8.8.8), then everything works.

I'm using the default DNS server - "Unbound DNS" - so the next thing I'll be trying is to use Dnsmasq instead.
Print
Go Up Pages 1 2 3 4 5 6 ... 9
User actions