(SOLVED) Forwarding single host WAN traffic via VPN

Maltahl · April 27, 2020, 10:19pm

Hi everybody,

I have some for time trying to migrate away from pfsense with my last mile stone is to forward 1 host on the same subnet but not all hosts on that subnet via the VPN so the 1 host only use the VPN as default route but can still respond to queries from VMs on the same subnet.

So far i have only been able to get correct routing when i static route a destination ( for instance 1.1.1.1/32 with next-hop being interface wg4 and 10.20.30.8 can only access 1.1.1.1/32 and nothing else) but this solution is not really good for me.

Here is more detailed info:
pfSense runs currently with xx.xxx.xx.23/26 for WAN and 10.20.30.1/24 for LAN
VyOS runs with xx.xxx.xx.24/26 and 10.20.30.40/24 for LAN as part of the migration in small steps
the subnet with my VMs are: 10.20.30.0/24
the host i want WAN traffic forwarded to only go via the VPN is: 10.20.30.8/32
The VPN i want to use resides on interface wg4

My setup from pfSense:
i created a FW rule that blocks 10.20.30.8/32 from using regular WAN interface to go online
Then i created a FW rule that allows 10.20.30.8/32 to access the Internet via the openvpn interface that is the VPN im using.
Then there is a nat rule that allows 10.20.30.8/32 to be NATed to the IP of whatever the VPN server has for IP.

Any help or tips would be greatly appreciated

tjh · April 28, 2020, 2:38am

You want to look at policy routing.
Here’s the example I use to route all traffic from my laptop with IP Address of 192.168.0.120 out via vtun3 (OpenVPN Interface)

Note: You must ensure you do not have “source-validating strict” set otherwise this won’t work!

First the policy statement that says “All traffic from 192.168.0.120” must use routing table 10 for routing decisions.

tim@ferrari# show policy
 route LAN-POLICY-BASED-ROUTING {
     rule 10 {
         source {
             address 192.168.0.120/32
         }
         set {
             table 10
         }
     }
 }

Next setup routing-table 10. This basically defines a new routing table, and you can see I’ve set a static default route so that all traffic is routed out vtun3. You’d change yours to be wg4

tim@ferrari# show protocols static
 table 10 {
     interface-route 0.0.0.0/0 {
         next-hop-interface vtun3 {
         }
     }
 }

Finally the policy route must be applied to the interface the traffic is coming in on. eth1 is the default route for 192.168.0.120. This is where you apply the policy statement.

[edit interfaces ethernet eth1]
tim@ferrari# show
 address 192.168.0.1/24
 description "XXX Network"
 duplex auto
 firewall {
     in {
         name LAN-IN
     }
 }
mtu 9000
policy {
    route LAN-POLICY-BASED-ROUTING  
}

With this active, all traffic from 192.168.0.120 goes via vtun3 (except traffic to other devices on the LAN which of course uses arp/direct host-to-host), but all other LAN clients use the standard routing table. You can of course do trickier things, you can have only certain destination routes go into table 10, or ports, etc etc. It’s very flexible.

Maltahl · April 28, 2020, 7:56am

This was exactly the solution i was looking for!

Thank you so much for the examples and explaining all of it!

It is working so well

Switching from OpenVPN to Wireguard for this service increased speed from 10-12 MB/s to 90-100 MB/s

system · April 30, 2020, 7:57am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.