Policy Based Routing for Sending Traffic over VPN

[ati]

I have been using OPNsense for awhile now and have gotten many things configured including a site-to-site wireguard VPN to another OPNsense box as well as client wireguard tunnels successfully.

I am trying now to make a 'always on' VPN using ExpressVPN via openVPN for a specific VLAN. I am using this guide so far https://www.youtube.com/watch?v=wDEHo9XJjeA

• I have gotten the openVPN connection established (at least the status is connected).
• I added a new interface for the openVPN connection and enabled it.
• My gateway table has updated with 2 new routes for the opnVPN connection (one IPv6 and one IPv4), the IPv6 connection says active for some reason.
• I enabled route-nopull in my openVPN configuration, so there is no route in my routing table for that connection.

Then things started to fall apart for me. I am testing right now, so I am trying to make a single client 'take the VPN path', so instead of using alias in the video I am using a single host IP.

• I added a firewall rule on the interface the device is connected to. It forces all traffic from that one source IP to use the openVPN interface as its gateway.
• I changed my outbound NAT to hybrid and added a new rule to force all traffic from that one source IP to use the openVPN interface as its gateway.

When I do all that I cannot ping anything anymore. I have been using 8.8.8.8 to eliminate any DNS issues as well.

I am not really sure where to even behind looking at logs or how to troubleshoot this. The firewall rules seem pretty simple in the way they operate, but I am not sure if it is firewall, openVPN, NAT rules, or the gateway/route configuration.

[viragomann]

I changed my outbound NAT to hybrid and added a new rule to force all traffic from that one source IP to use the openVPN interface as its gateway.

An outbound NAT rule doesn't force any traffic to anywhere. It just translates the source IP in outbound packets on an interface to any other.
For proper working you have to select the interface as translation address.

Did you add this rule to the OpenVPN interface, which you have created before?

If it's not that, please give more details on your rules.

[ati]

I changed my outbound NAT to hybrid and added a new rule to force all traffic from that one source IP to use the openVPN interface as its gateway.

An outbound NAT rule doesn't force any traffic to anywhere. It just translates the source IP in outbound packets on an interface to any other.
For proper working you have to select the interface as translation address.

Did you add this rule to the OpenVPN interface, which you have created before?

If it's not that, please give more details on your rules.

I am not sure I follow exactly.
These are my two rules I have created:

This rule is on the network (WIRELESS net (192.168.20.0/24)) interface the device (192.168.20.75) I want to take the VPN exists on:


This rule is on the NAT > Outbound manual rules:


Those are the only 2 firewall/NAT rules I created following the youtube guide.

[viragomann]

Looks well so far. Should work at least for IPs.
So for testing just ping 1.1.1.1 or 8.8.8.8 from the concerned device.

Check if the ExpressVPN gateway state is online in System: Gateways: Configuration.

Enable the logging of firewall rule and check if it is applied in the live log, after pinging.

[ati]

Looks well so far. Should work at least for IPs.
So for testing just ping 1.1.1.1 or 8.8.8.8 from the concerned device.

Check if the ExpressVPN gateway state is online in System: Gateways: Configuration.

Enable the logging of firewall rule and check if it is applied in the live log, after pinging.

I have been trying to ping 8.8.8.8 and nothing.

The gateway is listed as a gateway.


When I look in the live firewall viw and filter on the IP (192.168.20.75) I don't know how to tell if it is working.

When I ping my default gateway I can see the IMCP packet pass. But how can I tell that the rule for the gateway is applied? When I ping 8.8.8.8 I don't see any deny or anything.