docs
  • README
  • John's Notes and Documentation
    • Linux
      • Distributions
        • Arch Linux
          • Common Applications
          • Setting up pacaur with the Arch User Repository
          • Bluetooth
          • Hibernate
          • Graphical Configuration
          • libvirt
          • Post Install Tasks
            • Time
            • Reflector
            • SMTP
            • ZFS Configuration
            • smart
            • nfs
            • Package Management
              • aurutils
            • Programming Languages
              • nodejs
              • ruby
            • Restore Installed Applications
            • User Configuration Management
            • User Namespaces
            • Gaming with Wine
            • ZFS Dataset Structure
            • Raspberry PI Secure VPN Torrentbox
        • NixOS
          • Remotely Accessing Install Media
          • root on ZFS Install
      • systemd
        • Network Bonding
      • Tuning
        • CPU Tuning
        • Limits
        • Sysctls
        • Network Reliability With iwlwifi
        • Surface Pro 4 Power Tuning
        • ZFS Arc Max on Linux
      • TrueNAS
        • Setup
  • BSD
    • FreeBSD
      • iocage
      • Poudriere in a bhyve VM
    • FreeNAS
      • Copy SSH Keys off FreeNAS
      • FreeNAS Service jails
      • iocage Service jails
        • Couchpotato jail
        • Deluge jail
        • Emby jail
        • Poudriere WebUI jail
        • Podcatcher jail
        • Sabnzbd jail
        • Sickrage jail
        • Syncthing jail
        • Duplicity jail
        • Lets Encrypt jail
      • Wrong Version jail
    • pfSense
      • Sending Specific Traffic Through OpenVPN
  • Desktop and Userspace
    • Gaming
      • Grim Dawn
      • Path of Exile
    • Internet
      • Re-authenticate IRC Nickname
      • Lightdm VNC Connection with Password
    • Media
      • Convert Audio to Video
      • Convert Text to Speech
  • System Administration
    • Security
      • GPG Subkeys
    • Shell Scripting
      • dd
      • find
      • rsync
      • vim
    • ZFS
      • Mirrors
  • Certifications
    • CKA
      • Core-Concepts
      • Scheduling
      • Logging
      • Application Lifecycle Management
      • Cluster Maintenance
      • Security
      • Storage
      • Networking
      • Install Kubernetes with kubeadm
      • JSON PATH
Powered by GitBook
On this page
  • Certificate Authority
  • OpenVPN
  • Create Interface
  • Mappings
  • Rules
  • Check IP
  • References
  1. BSD
  2. pfSense

Sending Specific Traffic Through OpenVPN

PreviouspfSenseNextDesktop and Userspace

Last updated 4 months ago

Using Private Internet Access, follow instructions on .

Certificate Authority

Download cert from VPN provider.

For PIA it's located at https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt

Navigate to System -> Cert Manager -> CAs.

Add a new CA for PIA with above cert in 'Certificate data' field.

OpenVPN

Navigate to VPN -> OpenVPN -> Clients.

Add client with the following settings.

  • Server host, choose from : nl.privateinternetaccess.com

  • Protocol: UDP

  • Server port: 1198

  • Server hostname resolution: Ensure that "Infinitely resolve server" is checked.

  • User Authentication Settings: Fill the Username and Password fields with your PIA username and password.

  • TLS Authentication: Ensure "Enable authentication of TLS packets" is disabled.

  • Peer Certificate Authority: Select the PIA CA we setup.

  • Client Certificate: None (Username and/or Password required)

  • Encryption Algorithm: AES-128-CBC (128-bit).

  • Auth digest algorithm: SHA1 (160-bit).

  • Compression: Enabled with Adaptive Compression.

  • Disable IPv6: Ensure "Don't forward IPv6 traffic" is checked.

  • Custom options: Copy and paste the following into the custom options textbox. 'route-nopull' prevents the VPN client from creating a standard rule that forces ALL traffic through the VPN connection.: persist-key; persist-tun; remote-cert-tls server; reneg-sec 0; route-nopull;

Navigate to Status -> OpenVPN. Check if status up.

Create Interface

Create a new interface, Interface -> Assign, and select the OpenVPN connection, enable.

Create Alias OpenVPNHosts for IP's to send through OpenVPN.

Check System: Advanced: Miscellaneous, "Skip rules when gateway is down": By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down.

Mappings

  1. Navigate to Firewall -> NAT -> Outbound.

  2. Set the Mode under General Logging Options to "Manual Outbound NAT rule generation (AON)", and click Save.

  3. Under the Mappings section, click the duplicate (dual-page) icon on the right for the first rule shown in the list.

  4. Set Interface to "OpenVPN" and click Save at the bottom.

  5. For interfaces to use the VPN, repeat the last two steps for all remaining rule shown under Mappings, until every rule has a duplicate for OpenVPN.

Rules

Add a firewall rule for interface(s) being sent through VPN.

Protocol: Any Source: Single Host, OpenVPNHosts Advanced: Set Gateway to VPN.

Add rule to block if VPN down

Protocol: Any Source: Single Host, OpenVPNHosts Advanced: Set Gateway to VPN.

Check IP

Check IP on CLI with:

curl -s checkip.dyndns.org

References

client support
available hosts
Tunneling Specific Traffic over a VPN with pfSense - Muffin's Lab
Routing SOME traffic / static IPs through OpenVPN (over PIA) - pfsense forum