Oopen VPN / PIA as default gateway

I have follows this video (another great guide) :

and my VPN is all working and I can optionally enable clients / networks to force them over the VPN.

what I want to do is have everything go over the VPN except those that I route manually.

I thought setting my default gateway to the VPN would be the first step, but this just broke internet access and I don’t really understand why. But I thoguht I could then add a “nonVPN” tage and allow those out over the WAN (the reverse of what Tom did).

So how would I route all traffic over my VPN unless there is a specific rule?

You’re better off buying a switch, have vlans for both ISP and VPN.

I really recommend keeping it granular and only routing what you want routed out over the VPN. But you can should be able to put in a rule for each local network and set what gateway based on the matching of that rule. Also remember rules are done in top down order.

Thanks both.

I have vlans already . Part of my reason for wanting it to be the default was to keep it simple as most things would end up on the VPN. I guess a network level rule or floating rule would do the trick as long as I get the ordering right.

I’m curious why setting the default gateway to the VPN didn’t work. something to do with the VPN needing access to the WAN and being a circular reference?

1 Like

Yes, circular reference as the pfsense system needs an out.

Thanks, all working now with network rules.

One issue I saw is that some services (amazon) block VPNs. I don’t want to disable my VPN for an entire device. I can’t see a way around this other than hostname rules, but as far as I know pfSense doesn’t handle this very gracefully.

It depends on your reasons for using a VPN but lots of things break via VPNs, payment services, gmail on an email client goes bonkers, banking sites. Presumably these services have some form of blacklist as I can’t see what difference the IP address of a VPN server and my WAN IP can make.

If you want to use your VPN as the default internet on your network then just use an alias, adding the url for sites to go out via the ISP. Then add a rule to use the alias list to pass traffic through the WAN gateway instead.

Though I can’t say how protected you are against leaking your IP address, good opportunity to mess things up !

basically moving my privacy / trust “perimeter” outside the UK. I’ve only had a few issues so far with some streaming services.

the issue I had previously with aliases is how pfSense does IP resolution and third parties do load balance. they didn’t always cooperate well. also there are often multiple hostnames etc. and so it became a pain to setup and maintain.

it would be nice if pfSense had a “learning mode” so you could listen to traffic then create rules around this. I’ve had this conversation on the pfSense forums.

Maybe I’ll give it another go and see what happens.

It’s six of one half a dozen of the other, if you want to add exceptions then I don’t see a way around adding the exceptions ! There might be a way but it for sure will require maintenance.

there is no way around it, i just don’t think pfSense makes light work of it.