Configuring pfSense and OpenVPN with multiple local subnets
Overview
In a pfSense deployment with multiple local subnets configured as an OpenVPN client, I only wanted certain subnets to use the OpenVPN connection as their default gateway.
Problem
OpenVPN servers usually push routes to the client to direct traffic through the VPN tunnel.
This is an example from /var/log/openvpn.log
of OpenVPN configuring the pushed route:
This example routes all traffic that does not match a more specific route to the VPN tunnel, which is not what I wanted.
Solution
First, in the OpenVPN Client configuration, check the Don't pull routes
option.
![Screenshot of don’t pull routes option] (/img/2016-05-01-pfsense-openvpn/1.png)
Next, configure a policy based routing rule on the subnets that you want to route to the VPN tunnel.
This is a normal firewall rule and can match a single host or an entire subnet. In the Advanced
features
section, set the Gateway
as your VPN interface, as opposed to the default, which would
route to your WAN interface.
![Screenshot of Gateway option] (/img/2016-05-01-pfsense-openvpn/2.png)
Traffic that matches this rule will now be routed through your selected gateway.