Overview

In a pfSense deployment with multiple local subnets configured as an OpenVPN client, I only wanted certain subnets to use the OpenVPN connection as their default gateway.

Problem

OpenVPN servers usually push routes to the client to direct traffic through the VPN tunnel.

This is an example from /var/log/openvpn.log of OpenVPN configuring the pushed route:

/sbin/route add -net 0.0.0.0 10.17.1.243 128.0.0.0

This example routes all traffic that does not match a more specific route to the VPN tunnel, which is not what I wanted.

Solution

First, in the OpenVPN Client configuration, check the Don't pull routes option.

![Screenshot of don’t pull routes option] (/img/2016-05-01-pfsense-openvpn/1.png)

Next, configure a policy based routing rule on the subnets that you want to route to the VPN tunnel. This is a normal firewall rule and can match a single host or an entire subnet. In the Advanced features section, set the Gateway as your VPN interface, as opposed to the default, which would route to your WAN interface.

![Screenshot of Gateway option] (/img/2016-05-01-pfsense-openvpn/2.png)

Traffic that matches this rule will now be routed through your selected gateway.