Netgate SG-1000 microFirewall

Author Topic: routing certain ips through openvpn  (Read 163 times)

0 Members and 1 Guest are viewing this topic.

Offline techy82

  • Jr. Member
  • **
  • Posts: 94
  • Karma: +2/-0
    • View Profile
routing certain ips through openvpn
« on: February 06, 2018, 10:41:26 am »
Hi

When setting my pfsense box up originally I followed the pfsense guide so all traffic is going out through PIA

I have three interfaces setup at the moment

LAN
WAN
and PIAVPN

I have tried removing the PIA outbound nats but then I cannot connect externally

how do I set it up so I can get everything out, but pass only certain ips through openvpn(PIA)

I have followed a few guides online but they dont seem to work for me

any help would be much appreciated

Thanks very much in advance!

Offline pfImprudence

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: routing certain ips through openvpn
« Reply #1 on: February 06, 2018, 11:38:46 am »
I don't know, if I understand exactly what you want to achieve, but maybe have a look at

VPN -> OpenVPN -> Servers -> Edit -> Tunnel Settings -> IPv4 Local network(s)

Quote
IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network.

If you put a comma separated List of certain host adresses or subnets there, the VPN clients will get routes pushed to them.

For example:
192.168.1.0/24, 192.168.2.22/32

This wil result in one route to the 192.168.1.0 255.255.255.0 Network and one route to the 192.168.2.22 host.

Of course you have to adjust the firewall rules to allow the clients using these routes.


[EDIT]
Sorry. I guess you want it the other way around.

So maybe have a look at:

System -> Routing -> Static Routes

There you can assign certain subnets and ips to be routet trough gateways other than the default gateway.
« Last Edit: February 06, 2018, 11:44:13 am by pfImprudence »

Offline techy82

  • Jr. Member
  • **
  • Posts: 94
  • Karma: +2/-0
    • View Profile
Re: routing certain ips through openvpn
« Reply #2 on: February 06, 2018, 12:23:01 pm »
Thanks! Everything seems to be going out via openvpn until I turn off openvpn

If I removed the openvpn Nat rules the connection stops altogether

I want everything to go straight out to the Internet apart from the devices I want to go through openvpn

Thanks again

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2693
  • Karma: +284/-1
    • View Profile
Re: routing certain ips through openvpn
« Reply #3 on: February 06, 2018, 02:53:29 pm »
That is to be done by policy routing.
The PIA outbound NAT rule is needed, otherwise your devices want get any response from PIA.

You have to avoid to get pushed the default route by PIA server: Go to the client settings and check "Don't pull routes".
Add your devices which should be routed out to PIA to an alias.
Add a firewall pass rule to the LAN interface with source = the alias you've added first, dest = any, go down and open the advanced options, at gateway select the PIA gateway.
Put that rule to the top of the rule set.

Consider that this firewall rule directs any traffic from concerned devices to PIA and permits access to the firewall itself. So if the devices should also have access to pfSense, e.g. for DNS, you have to add additional rules for that to the top of the rule set with leaving the gateway blank.

Offline techy82

  • Jr. Member
  • **
  • Posts: 94
  • Karma: +2/-0
    • View Profile
Re: routing certain ips through openvpn
« Reply #4 on: February 07, 2018, 02:47:17 am »
That is to be done by policy routing.
The PIA outbound NAT rule is needed, otherwise your devices want get any response from PIA.

You have to avoid to get pushed the default route by PIA server: Go to the client settings and check "Don't pull routes".
Add your devices which should be routed out to PIA to an alias.
Add a firewall pass rule to the LAN interface with source = the alias you've added first, dest = any, go down and open the advanced options, at gateway select the PIA gateway.
Put that rule to the top of the rule set.

Consider that this firewall rule directs any traffic from concerned devices to PIA and permits access to the firewall itself. So if the devices should also have access to pfSense, e.g. for DNS, you have to add additional rules for that to the top of the rule set with leaving the gateway blank.

Thank you very much, that seems to work now, but the device is leaking my ISP, what do i need to do to stop this?

I currently have the settings as shown in the pic, but not sure if it is correct

Thanks again!
« Last Edit: February 07, 2018, 03:19:31 am by techy82 »

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2693
  • Karma: +284/-1
    • View Profile
Re: routing certain ips through openvpn
« Reply #5 on: February 07, 2018, 03:48:28 am »
Yes, if the devices use the pfSense DNS and pfSense requests your ISPs DNS you will have a DNS leak.

To avoid that, either configure the VPN devices to access a public DNS, which is routed over the VPN, or configure the pfSense DNS to route requests over the VPN.
On pfSense if you use DNS Resolver you can select interfaces for outgoing requests at "Outgoing Network Interfaces". If you only select your PIA VPN interface here, requests are only sent out over the VPN.

BTW: DNS prefers UDP over TCP, but may use bouth. So you should change the rule to TCP/UDP.

Offline techy82

  • Jr. Member
  • **
  • Posts: 94
  • Karma: +2/-0
    • View Profile
Re: routing certain ips through openvpn
« Reply #6 on: February 07, 2018, 04:06:50 am »
Thanks again!

Yes i use dns resolver,

how would I change it so only the VPNDevices would get a different dns result? to devices that go straight out?

does my rule look okay apart from needing to be TCP/UDP?

Thanks!!

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2693
  • Karma: +284/-1
    • View Profile
Re: routing certain ips through openvpn
« Reply #7 on: February 07, 2018, 04:36:35 am »
If your pfSense provide DNS service it has to do request to public DNS servers on its part. You are able to select the interface for outgoing requests, but there is no possibility to use this interface only for certain internal devices.

So an option is to configure the "VPN devices" to use a public DNS and go over the VPN. So you can delete the DNS rule.

Offline techy82

  • Jr. Member
  • **
  • Posts: 94
  • Karma: +2/-0
    • View Profile
Re: routing certain ips through openvpn
« Reply #8 on: February 07, 2018, 04:38:32 am »
thanks again, how would I change the "VPN Devices" to use a public dns?

I'll delete that dns rule I created to

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2693
  • Karma: +284/-1
    • View Profile
Re: routing certain ips through openvpn
« Reply #9 on: February 07, 2018, 07:00:31 am »
In the devices network settings.

If the devices pull the settings from pfSense DHCP server you can set "DHCP Static Mappings" for each of them with specified DNS servers.

Offline techy82

  • Jr. Member
  • **
  • Posts: 94
  • Karma: +2/-0
    • View Profile
Re: routing certain ips through openvpn
« Reply #10 on: February 07, 2018, 08:09:14 am »
thanks!

one of the devices I want to add has a static ip set to it, but it doesn't show in the dhcp table, the other device also has a static ip address and this shows in the dhcp table

does it only work if dhcp is automatic and not manually set?

any ideas?
« Last Edit: February 07, 2018, 08:28:52 am by techy82 »

Offline techy82

  • Jr. Member
  • **
  • Posts: 94
  • Karma: +2/-0
    • View Profile
Re: routing certain ips through openvpn
« Reply #11 on: February 07, 2018, 09:20:18 am »
think i have worked it out, I set them to assigned instead of static added the static leases in pfsense, and they seem to be applying okay,

I have two dns servers set to the static leases, but when i run a leak test four are showing? why does this happen?

Thanks again!