Tunneling Specific Traffic over a VPN with pfSense8 min read

Recently I stumbled on a post in /r/sysadmin by /u/ThatOnePrivacyGuy that had a spreadsheet he had created comparing a load of VPN services, you can find it here.

This got me thinking, my automated downloads crunch through terabytes of data every month on a home connection, and if my ISP were to look into this it would not show me in a good light due to a lot of p2p I have going on in my household; with my flat mate constantly having torrent connections open and Sonarr + Couchpotato downloading via torrents and NZBs there is a lot of data I would like to mask from my ISP. Thanks to that awesome spreadsheet I managed to find a service that looked perfect for me, vpn.ac.

So this post has gotten a bit of attention after almost a year and I‘m super grateful for that, if you end up signing up for VPN.ac (who are still kicking ass btw) my affiliate link is here. No pressure, just helps me out if I helped you out.
Cheers, MM~~

They offer a weeks trial for 2$ which I went for test it out and if it worked well I was going to purchase a year, here’s what I did to tunnel only select traffic over the tunnel.
This is very achievable for most services if you just install the client inside the OS but this will tunnel all that hosts traffic over the VPN, this is no good for me as I wanted only my downloads to go over this link and the rest of the traffic still going over my WAN, turns out this is very easy to accomplish in pfSense if the provider allows OpenVPN connections.

The setup will follow the following steps:

  • Setup VPN connection inside pfSense
  • Setup interface with that VPN connection
  • Setup gateway with that interface
  • Add NAT rules to allow whatever VLANs out to the VPN
  • Add firewall rules to tunnel the traffic
  • Test the tunnel

So let’s get stuck in.

VPN Setup:

I won’t cover the VPN setup in pfSense because the methods for this will vary across different providers but there should be a tutorial showing you how to do this. For me it was easy enough, all I had to do was add a CA with my providers certificate as follows:

2016-03-14_09-26-50

After that, under VPN > OpenVPN > Client create a new connection with the provided details from your provider, here you can choose which server to connect to. My provider has ‘p2p optimized nodes’ so I setup my connection to one of those servers, the closest of which to me was the Netherlands.

2016-03-14_09-30-47

The tunnel settings were also provided by my provider with one addition made my me, the “route-nopull” setting. Checking “Don’t add/remove routes” should do the trick aswell but I added this in the advanced settings as well. The first time I did this I did not add this option and all my traffic started going over the pipe regardless of firewall rules, so ensure you add this option or you’ll end up with a mess.

2016-03-14_09-33-37

Once this is done and completed going to Status > OpenVPN should list your connection and it should have the status “up”. This means we are connected to the provider.

2016-03-14_09-35-25

Interface and Gateway Setup:

Next we need to add an interface for the connection and then a gateway for that interface, this is simple.

Head over to Interfaces > Assign, click on the ‘+’ icon and set the network port to your OpenVPN connection. (Yours won’t have a name yet like in mine, this is next.)

2016-03-14_09-37-31

Click on the newly created interface and enable it, you can give it whatever name you want here. Once this is done, click save.

2016-03-14_09-38-33

Now we have an interface for our new VPN connection head over to System > Routing and again, click the ‘+’ to add an gateway and go ahead and edit that gateway.
You want to name the gateway anything you like, and set the interface to the interface we just created. The gateway settings and monitor IP will be given by your provider.

2016-03-14_09-40-50

Go ahead and save that. At this point you are ready to create the firewall rules. Now, the issue I had here is that I was unable to get anything working and it was really getting on my tits, turns out pfSense was not configuring this gateway with a valid IP/correct routes straight off the bat, or even after FW state resets. I would highly recommend a reboot here as this was the only thing that made the next few steps work.

Adding NAT Rules:

The next thing we need to do is add the NAT rules to allow for traffic to go out of the gateway, this is done from Firewall > NAT > Outbound

If you have Automatic NAT enabled you want to enable Manual Outbound NAT or Hybrid, I like hybrid NAT personally. Find the rule that allows the devices you wish to tunnel to the VPN to the internet. This is most likely “Auto created rule – LAN to WAN”

2016-03-14_09-47-21

You want to click the highlighted ‘+’ button which will create a new rule based on that one. Change the interface to your VPN interface, change the description and save.

2016-03-14_09-49-02

Do this for every subnet that needs to go out to the VPN. At the end of this you should have something like this for your subnets:

2016-03-14_09-50-49

2016-03-14_09-51-03

 

Adding the Firewall rules:

For me, this had to be very fine grain as I only wanted download traffic on specific hosts to go out of the VPN and not all the traffic on the hosts, this was done using source and destination addresses and ports.
If you wish to send all the traffic in a subnet through the tunnel you must do the following,  go to Firewall > Rules > The interface you want to tunnel > Add a new rule

2016-03-14_09-54-20

The above rule will send all the traffic on that interface into the VPN tunnel, you must ensure that the ‘gateway’ option is set to your VPN gateway and that this rule is above any other rule that allows hosts to go out to the internet. pfSense needs to be able to catch this rule before any others.

If you don’t wish to send all the traffic, like me, you can do what I did. To start with, I tackled my torrent clients. I know my torrent client uses port 56019, manually set by me, so I created the following rule under the interface where that host lives:

2016-03-14_09-58-12

This rule works because my torrent client is going out from port 56019 from the host MUFFSTORE01. I placed this rule above my default allow all rule.

Next was Usenet, Usenet downloads via HTTP/HTTPS so catching the ports wasn’t going to work as all the HTTP(S) traffic would be tunneled, so instead I looked at the providers themselves. I use 2 Usenet providers, Eweka and UsenetServer. In my NZB client I looked at the hosts I was connecting to and they were the following:

  • newsreader108.eweka.nl
  • secure.usenetserver.com

A quick nslookup shows me the IPs of these servers:

2016-03-14_10-10-05

Create an Alias in pfSense under Firewall > Aliases with any name you like and the IPs of your Usenet providers.

2016-03-14_10-12-31

After that it’s as simple as creating a rule up top in the required interface with the source as the host and the destination as your Usenet server aliases. The ports can be ANY for both source and destination, and once again you must place this rule above any other rule that will catch internet traffic for this host.

2016-03-14_10-14-06

One thing you can do if you want to see this working straight away is to create a rule to send HTTP(S) for all traffic from one of your hosts to the VPN gateway and place it on top, I did this:

2016-03-14_10-19-28

After all your desired rules are in place head over to Diagnostics > States > Reset States and click on reset states. After doing any firewall changed that involve a gateway change I would do this before checking if anything has worked as in my experience it will not. PfSense WebGUI may hang once you do this and it will take a few seconds for routing to come back and up to a minute for the GUI to come back, don’t panic.
Once you’re done head over to any host you configured and start downloading something, for me I went over the host I was tunneling HTTP(S) and used my favourite IP checker to see what the result was, and:

2016-03-14_10-45-58

Success! Testing the torrents and NZBs was pretty simple. Add the VPN interface to your dashboard under traffic graphs and start downloading something separately. If you see traffic going out of the interface you know it’s working, here you can see I started downloading an NZB and the VPN interface matched the traffic that the application was using, as well as this it is only the Usenet traffic and torrent traffic, browsing the web still gives me my WAN IP, which is what I want.

2016-03-14_08-42-01

And there you have it, using fine grain firewall rules you can tunnel as little or as much of your internet traffic over a VPN using pfSense. I live in London and downloading through the Netherlands servers that VPN.AC provides I was able to saturate my download speed which is a huge win, obviously your milage may vary depending on a number of factors but with so many providers offering free trials it’s worth a try.

I hope this was helpful and good luck! MM~~

 

 

 

34 thoughts on “Tunneling Specific Traffic over a VPN with pfSense8 min read

  1. Great, thanks for sharing! One other way you could test if the rules are working is by doing a traceroute from a host the rules apply to.

    Reply

    1. Well, this would only be a valid test if you were forwarding the entire machine, else you would need to add ICMP to the forwarding rule.

      Reply

  2. How is the VPN.ac working for you? I am considering switching after looking at the charts.

    Reply

    1. It’s working out pretty great actually! Not noticed any slowdowns in my downloading and the piece of mind is nice. The VPN is also great to use on the go when I’m abroad far away from my lab as they have servers in many places.

      Reply

  3. I can set a rule that sends all traffic from one static IP out through my VPN successfully, but when I specify a port (my torrent client) it seems to just ignore the rule. Any ideas why this happens?

    Reply

    1. I am having the same problem. Copied your setting with vpn.ac, it works if I set to pass all traffic through the VPN, but not with specific ports. I noticed the difference in the screenshots, one has LAN and other has SERVERBVLAN as interface. Is this significant? Or any suggestions?

      Reply

      1. I’m getting the same results, works fine when all traffic goes through it, but if I set it to use ports then it just ignores the rule. Did you ever find a solution?

        Reply

  4. THANK YOU for the amazing writeup. I’ve seen similar writeups elsewhere, but this is quite thorough and detailed. All that said, I’m hitting a wall here. I’m also a VPN.ac user and I’ve followed this all exactly, VPN link is up, but as soon as I add the LAN rule, network connectivity fails from the specific host. I can see the logged requests getting a PASS in the firewall system log, but there’s no response. It’s as if there’s something funky with NAT. Any ideas where/how to troubleshoot?

    Reply

    1. Hi Darren, have you ensured you added a NAT rule for the subnet to use the VPNAC gateway?

      If you need some help feel free to PM me on discord at MonsterMuffin#3820

      Reply

      1. I solved it. Turns out if I enable compression traffic doesn’t flow. Set compression to “none specified” and everything works like a charm. Also notable that “Encryption Algorithm” for me is AES-256-CBC and “Auth digest algorithm” is SHA512. Thanks again for the instructions!

        Reply

        1. Huh, I’ve never seen that before, good to know.

          Glad to see you got it fixed though, enjoy!

          Reply

          1. OK, so now I’m trying to get tricky and things aren’t playing nicely. My goal is to run 2 VPN connections to VPN.ac: 1 to some far flung part of the world for the kind of traffic described in your sample here, and a second connection to a local server for all regular traffic, just for privacy’s sake. The good news: I can get them both working successfully! However, as soon as I flip on the LAN pass rule to redirect the traffic for all DHCP clients to run through the 2nd VPN, all of my inbound NAT port forwarding rules to my server (not in the DHCP block) stop working completely. Basically, as soon as I enable the pass rule for the 2nd VPN, I can no longer access my server remotely. If I disable that rule and flush the states, they start working again. Thoughts?

  5. Wow – you know your stuff when it comes to PFsense. Well done.

    Reply

  6. Great article and site. Kudo’s

    Question I was researching is along this same topic (and split tunnel) for VPN.

    OpenVPN (PIA) is working sweet on my pfsense box. I am having a problem with our new Toy (Amazon Fire TV), and Playstation Vue, which is zip code specific.

    Do you suggest I put a static IP on the AFT, Roku, etc. and route them through my pfSense OpenVPN with exceptions? Examples?

    Reply

    1. Pretty much. I’ll be making a new post soon detailing this process in light of recent security clusterfucks that governments are bringing down.

      You can either route the static IPs via your main connection, or set the destination IPs in an alias and set those IPs to go via the normal gateway.

      I do this for iPlayer so any device in the house can still access iPlayer whilst all other traffic is tunneled via Amsterdam.

      Reply

      1. If you could, please post details regarding this. My desire would be to have certain destination IP’s go around the VPN Tunnel. Any help with that would be very much appreciated.

        Reply

      2. Not entirely sure how possible this would be, but what about doing this at layer 7 and allowing a particular application to bypass the VPN rule?

        Reply

        1. Did you get to write this up yet? It’s exactly what I want to setup but keep hitting issues!

          Reply

  7. Having a strange issue when i try to add the firewall rule. When trying to select the “VPN” gateway from the drop down menu, I don’t have the option to select my VPN gateway. The only one in the list is my “default” gateway.

    Reply

  8. This blog post is awesome, but it doesn’t seem to work for ipsec. Any tips on an equivalent goal with ipsec?

    I have a site-to-site ipsec VPN where I want to send everything but the local subnet over the VPN. If I follow along, I don’t have a way to add an interface on the interface assignments tab with ipsec..there isn’t an add or plus icon with pfsense 2.4. So I’m unable to create the VPN gateway that would eventually allow me to create firewall rules customized for the proper gateway (VPN or not).

    Currently, my site to site works great, but all my local private traffic “breaks” once I connect to site B. After connection, I have no connectivity to site A.

    Reply

  9. This is easier to follow, more clear and concise than the vast majority of pfSense guides I’ve encountered. Kudos.

    Reply

  10. I was able to take your guide and modify it a bit to send traffic based on LAN IPs rather than ports. It seems to work except for some reason when I want to have a port open, I can’t seem to get it to work. When I check to see if my ports are forwarded correctly on the clients that are set to use the VPN, it appears as though I’m behind a firewall. Is this normal? The only setting I couldn’t set was the “Monitor IP” for the gateway because my VPN provider doesn’t specify what this should be. Could this be why no clients can connect directly to my PC in the LAN?

    Reply

  11. I looked up vpn.ac and they dont seem to support port forwarding. How did you resolve this?

    I have PIA at the moment. And if I just port forward without using their prober way of doing it, it will not work.

    So I am guessing your torrent client would say the port is not open?

    Reply

  12. Hi
    I want forward 5060 port to my pfsense via vps openvpn server. I add vpn client to pfsense and able to forward tcp port but no udp sip port. Here is my iptables commadn at centos openvz vps.
    iptables -t nat -A PREROUTING -p udp –dport 5004:5082 -j DNAT –to-destination 10.8.0.2
    iptables -t nat -A PREROUTING -p udp –dport 10000:65000 -j DNAT –to-destination 10.8.0.2
    iptables -t nat -I POSTROUTING -d vps ip -j SNAT –to 10.8.0.2

    Reply

  13. Thanks for this. I’m looking to switch VPN’s so that I can accomplish this. I tried creating a P2P only tunnel with AirVPN’s Eddie, but it relies on launching .bat files in conjunction with the client, and the overall operation is problematic and inconsistent for several reasons – AirVPN’s standard recommendation is “run a VM”

    Do you have a link to a good pfsense tutorial to get started running it in Win 10? Then I’d move to VPN.ca and use this tutorial.

    Reply

    1. i have a couple questions.
      1. on the traffic graph. it seems my traffic is going outbound. is this correct?
      2. how do i verify in pfsense that my traffic is going to through the VPN. i do not run a gui i only have CLI on my server.

      thanks.

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.