HOWTO - Routing Traffic over Private VPN

[tibere86]

Updated to 18.1.11 and am still having issues getting OpenVPN (PIA) working like I had it on pfSense.
I hope this How-To gets updated to include detailed instructions on how to route specific traffic over VPN on OPNsense 18.1.X.

[Nismanoke]

Hi all,

I had the same problems with dns. (error_resolv_name)

I followed the manual from NilsS on page 2 on top. At first it wasn't working, after i placed the firewall rule autocreated by the port forward rule on nat section of firewall and restarted my openvpn clients everythinf started working.

I have noticed that after each change in the firewall, gateway and interface section the openvpn clients have to be restarted in order to get it working.


Hope some more people get it up and running now.


Update:
Now after half an hour i get connection time out. When i restart the openvpn client (s), everything starts working again for a few minutes and then i get the connection time out again. Bumber

Think i'm reverting to pfsense, got it working there before. Wanted to try out opnsense but can't find something to get it working. A lot of people are complaining over this that from some version on a bug or something causes problems.

Maybe opsense developers can look into this and post a guide how to policy based routing with openvpn client gateway (group) or a workaround.
Would like

greetings,
Nismanoke

[ThePOO]

Perhaps look at https://forum.opnsense.org/index.php?topic=8998.0 as a possibility .... I don't know if the method there gets the job done, but it's maybe worth a look.

And, I agree ... there should be a reliable, official method documented for opnsense.   I, too, had a bullet-proof, leak-proof vpn set up in pfsense and have not been able to do that in opnsense.    I really like opnsense and the developers are spot-on with where the product is going.    Perhaps, at some point, they'll look into this and come up with a similar bullet-proof method ... x'ing fingers.

I've been watching this topic and the topic, in the link above, hoping someone definitively solves this.

[M4DM4NZ]

Hey Guys,

M4DM4NZ here, wow this HOW-TO I started over a year ago has had some major viewing, so i figured I better keep you all up to date with my current configuration.

Sorry i haven't been on here posting much, life stuff gets in the way of geek stuff now and then...

Anyway, I recently had issues with my VPN dropping out a few months ago and figured I better update opnsense to a more current version as I've been using 17.something for a while now.

I cant say exactly what i did, but from memory I've backed up my current config from 17.x and restored it overtop of a clean install of 18.x

I do recall some funky things happening as it wasn't a smooth transfer and involved a lot of trial and error test.

So... I'm gonna go over my current working config soon and post some settings here once get home from work.

Thank you all for your effort in keeping this thread active, and big thanks to conanTheRouter and NilsS for maintaining my How-To and adding some cool functions.

Keep you all posted soon with config updates

[Patpop]

Any progress on this? Woud really like to switch from pfsense to opnsense ut this is holding me back from switching. Thx

[jds]

I don't have much experience with opnsense, but after some communications with tech support at PIA,
it was eventually possible to get this working.  I did not read all of the problems you were having above (sorry),
but can tell you that only some small subset of settings will work, and not all are documented.  In fact,
they even recommend something that definitely does not work.   My settings are:

System -> Trust -> Authorities:
---------------------------------------
I added an authority called PIA-4096, and pasted this size key from PIA and saved.


VPN -> clients:
-------------------
Server mode: Peer-to-peer (SSL/TLS)
protocol: UDP4
device mode: tun
interface: WAN
Remote server: <my favorite PIA server> 1197
infinitely resolve remote server is enabled
<add your credentials to PIA>
Peer Certificate Authority: PIA-4096
Client Certificate: None
Encryption algorithm: AES-256 CBC (256 bit key,128 bit block) <this must match the same certificate, and must be CBC>
Auth Digest Algorithm: SHA-256 (256 bit)
No Hardware Crypto Acceleration
Compression: enabled with adaptive compression
Disable IPv6 is checked
Advanced:
    persist-key;
    persist-tun;
    remote-cert-tls server;
    reneg-sec 0;
    auth-retry interact

I may have forgotten some details, but if you ask will look them up in my working setup.

Hope this helps.

[bevigilant]

Removed my post as I have all this working now. I disabled DNS resolver on the OPNSENSE box and spun up a pihole VM. Set that as DNS in the DHCP options and all works fine now.

[tomrwaller]

Urgh - just migrated from pfSense and having the exact same issue.

Anyone have any update? I'm also running AirVPN in the UK. With my alias firewall rule in place, my system loses internet connectivity. When I disable the rule (and the device goes out the normal WAN rule) everything works as normal.

VPN is connected - verified in the GUI and also through the AirVPN site.

[tomrwaller]

OK - it seems to be working for me now.

I had to uncheck the following settings in the OpenVPN client settings:

• Don't pull routes
• Don't add/remove routes

With those two settings unchecked, policy based routing works.

I'm seeing some weird issues with DNSSEC as well. For some reason, with DNSSEC enabled, some sites never resolve. As soon as I disable DNSSEC, they resolve just fine.

[mimugmail]

I somebody can borrow me an account I can try to make an official guide, but I'm not willing to pay something for what I'm not using.

[tomrwaller]

Hi all.

Just to follow up on my previous post.

DNSSEC actually wasn't at fault. It seems that even with the VPN up and the Unbound outgoing interface set to that of the VPN WAN, DNS still resolves as if it were configured for the WAN - meaning there were DNS leaks all over the show.

I had to use a custom server option in Unbound to get this to work - far from ideal but I will wait for the fix to come in for the GUI. Just to re-iterate, this has all worked flawlessly in pfSense for years. It's a shame it is not quite the same in OPNSense.

Unbound custom server settings are (where x.x.x.x is the IP for the VPN DNS server you wish to use:

forward-zone:
    ## Fix for VPN DNS.
    name: "."
    forward-addr: x.x.x.x@53
    forward-addr: x.x.x.x@53

[Wombat]

First, I cannot find a "HOWTO - Routing Traffic over Private VPN"  in the docs.opnsense.org site.  Thought it might help me with my VPN for which I will raise a new topic.

[John Beer]

I have been banging my head against a wall trying to get an AirVPN OpnSense gateway setup to work, with the help of this thread, and i think i might have stumbled across a bug/unexpected behavior that might explain some of the problems that people in this thread are having. The problem became apparent when trying to use policy-based routing to selectively send only some LAN traffic through the VPN tunnel.

In a nutshell, OpnSense seems to set the default gateway of the VPN interface (the one displayed under System/Gateways/Single, NOT the default gateway of the linux interface ovpnc1) to the subnet mask, leading to broken policy-based routing through that interface. I have reproduced the issue on a fresh 18.7.4 install inside a virtual machine, the steps i took are as follows:

• Start with a standard OpnSense install (default LAN and WAN interfaces with default settings). Follow the guide exactly until Step 4. There, also tick the options Don't pull routes and Don't add/remove routes.
• Continue to Step 6. Then, when creating the interface assignment, set IPV4 Configuration Type to None.
• Under System/Gateways/Single, edit the newly created VPN_VPNV4 gateway and set the Gateway option to dynamic.
• Apply changes and restart the machine to make sure everything is set correctly.
• After the restart, look under System/Gateways/Single. Both the Gateway and the Monitor IP of VPN_VPNV4 are set to 255.255.255.0, as shown in the attachment.

After setting up outbound NAT for the VPN interface created in step 6, LAN packets that are sent through it via policy-based routing are routed to the 255.255.255.0 address, leading the system to silently drop them. If the gateway IP for the interface is manually set to the one pushed by the AirVPN server (as taken from the OpenVPN log file), everything works as expected and LAN traffic is successfully routed through the VPN.

The OpenVPN server attempt to push the following interface settings:
openvpn[79283]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.5.10.1,route-gateway 10.5.10.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.5.10.5 255.255.255.0,peer-id 1,cipher AES-256-GCM'.
I assume the ifconfig command breaks OpnSense's parsing, leading to the subnet mask being mistaken for the gateway IP. The system interface ovpnc1 on the other hand has both its IP and gateway set correctly, as one would expect from seeing openvpn[51343]: /sbin/ifconfig ovpnc1 10.5.10.5 10.5.10.1 mtu 1500 netmask 255.255.255.0 up in the OpenVPN log.

Changing the IPv4 Configuration Type for the VPN interface from None to DHCP results in a VPN_DHCP interface being created instead of  VPN_VPNV4 , also with Gateway and Monitor IP set to 255.255.255.0.

I have not reported this as a bug as i'm not fully sure that the issue isn't with my configuration. Feel free to move the post to a better location, this thread just seemed the most relevant place to post it.

[apiods]

Hi, thanks to this thread, and information from other sources, I was able to get a VPN running as I wanted:

- Fresh install of 18.7.5_1
- LibreSSL firmware
- VPN provider: AirVPN
- Wanted to route selected hosts (on different VLANs) out via the VPN, with general traffic using the default WAN.
- DNS leak test reported ok

So far, so good 

[tibere86]

Have these VPN routing issues been resolved? This thread has not had a lot of traffic in a couple of months. I have attempted many times to setup selective routing through PIA VPN on OPNsense without any luck.
Hoping someone will post an update tutorial on how to accomplish this.