Selective Routing to External OpenVPN Provider

[BondiBlueBalls]

Hey there,

So I've been following a few tutorials, but keep running into the same issues when attempting to set up a permanent gateway to Private Internet Access' OpenVPN service. So far I've used these tutorials:

• https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
• https://forum.opnsense.org/index.php?PHPSESSID=dd6iudnprh2mt80jgt9p3k4erq&topic=4979.msg19771
• https://www.privateinternetaccess.com/helpdesk/guides/routers/pfsense-2-4-5-openvpn-setup

None of the above tutorials get me where I need to be, but each seems to have some pieces that seem appropriate.

I've LOVE it if I could kinda roll through this step by step with someone. It's hard to ask the right questions at a place like Reddit for situations like this, so I was hoping this forum may be more appropriate.

So first things first, I started off by creating an OpenVPN client using steps 1 and 2 here:
https://www.privateinternetaccess.com/helpdesk/guides/routers/pfsense-2-4-5-openvpn-setup

Without the rest of the steps, when I turn on the client, my access to the internet dies. I can reach anything on my internal network, but nothing external. I assume this is expected without the appropriate firewall rules, right? Thoughts?

Thank you!

[Home Network Guy]

I personally haven't set up my OPNsense as a client to an external VPN service such as PIA, but it is certainly on my todo list to write about. There is enough interest in the topic, and I would want to see what I could learn along the way that I could share with others.

That said, I think that you may need to do that 3rd step in the pfSense documentation to add the outbound NAT rule. That is similar to how you need the outbound rule for running your own OpenVPN server so communication can occur between your network and your clients.

You will have to set your interfaces to use the VPN as the gateway so you can have some networks on the VPN and some that are not if you so desire.

I haven't gone through the entire process yet but I think that may be the general idea. I hope tot dig into it more when I get some time to work on it.

Thanks for posting this on the forum! I am hoping others with more knowledge in areas I haven't explored deeply will chime in with more information. It is why I established a forum rather than just rely on page comments (since it's harder to work through issues).

If the amount of feedback continues to grow in the future, it could get to the point where it will be too time consuming to respond to every single question. I get questions via email, Disqus comments, and the occasional forum post.

[BondiBlueBalls]

Hey there. Sorry I haven't replied in a while. Home networking isn't always a priority in the summer.

So regarding this step:

You will have to set your interfaces to use the VPN as the gateway so you can have some networks on the VPN and some that are not if you so desire.

I was able to solve my first issue where enabling the VPN killed my internet access by checking the "Don't add/remove routes" box in the VPN client setup. Assuming this is correct, I went to the next step of assigning the new "ovpnc2" network port to an interface I called "WAN_PIA". When enabling this new interface, two new gateways are created, "WAN_PIA_VPNV6 (active)" and "WAN_PIA_VPNV4". In the "WAN_PIA" interface, I have both IPv4 and IPv6 config types set to none. Where do these new gateways come from? Why is IPv6 active, but not IPv4?

So ya, that's kinda where I am. Does this issue ring a bell? Did I miss a step or do something wrong? Is it even an issue?

I'm happy to be a guinea pig for your potentially new article, and thanks again for any potential help!

[Criss]

Hello,

I am trying exactly the same to accomplish selective routing with OpenVPN Provider. Actual all Clients are connected via VPN, but i would like to exclude now some Clients from VPN to send them over the ISP Connection.

I have under OpenVPN - Clients "Dont add/remove routes" Disabled, so all Clients are connected via VPN. If i Enable "Dont add/remove routes", then all Clients connect via ISP Connection..

@Dustin, this would be a great Topic for a new Article

Thx

[Criss]

I get my selective Routing now working with the Help of this Guide here

https://community.spiceworks.com/how_to/177167-policy-based-routing-via-vpn

best regards

[BondiBlueBalls]

Nice! I haven't seen that tutorial yet. I'll give it a try tonight. Thanks much for following up!

[BondiBlueBalls]

@criss, when you got to the DNS Config section, did you follow the tutorial as written? Were you already using Unbound, or another solution? I've disabled Unbound due to using Pi-hole. It seems like I should just follow as written since it wants us to set the Outgoing Network Interfaces to the VPN interface. Does that mean Unbound will only be used for the VPN interface?

Thoughts? Thanks!

[Home Network Guy]

I get my selective Routing now working with the Help of this Guide here

https://community.spiceworks.com/how_to/177167-policy-based-routing-via-vpn

best regards

Thanks for providing a link to help resolve the issue especially since I don't have a lot of experience with this yet, but I do want to experiment with connecting to external VPNs to help others get their VPN set up even if I do not plan to use a VPN for my own network.