Pfsense and open VPN - is it possible to route certain IP to VPN?

Hi - I would like certain IP addresses on my DMZ LAN to always be routed through a VPN that would be running on the pfsense router. For instance my ‘SMART TV’ should always use VPN. Other IPs on the LAN1 would selectively use or not use the VPN.

What is the best way to use a commercial VPN with PFSENSE? I assume OPENVPN? Could a Virtual Machine be used? I currently have PFSENSE virtualized with another app.

Thank you in advance for any pointers!

Well as you are running pfSense I’d recommend buying a managed switch, set up vlans, with one of them having the VPN as the gateway, implement a kill switch, that way if the VPN goes down internet access is killed hence doesn’t exit via the ISP.

If your VPN provider allows multiple simultaneous connections, then you can put several connections in a gateway group, if one fails the traffic will exit via another VPN gateway.

Additionally, if you setup an OpenVPN server you can exit via a VPN gateway, hence on your mobile you can access your VPN from anywhere without using up any of your connections.

You can of course do it with just a LAN but it’s not as flexible.

I suppose you can virtualise it but if you have to troubleshoot then it’s two things you have contend with.

You can do this either via VLANs or with IP addresses by setting up the correct rules, gateways and outbound NAT settings on pfSense.

Which outbound route is used is called policy routing Multiple WAN Connections — Policy Routing Configuration | pfSense Documentation

I have an older video on the topic but things are mostly the same in terms of configuration.

Tom - Thank you for that great video! I appreciate your comments about adding overhead when using a VPN at the end of the video.

Question: Why then when setting up the PIA OpenVPN (5:45 on video) is HW Crypto : NO hardware crypto acceleration selected for the setup? It seems this would speed up the encryption for the VPN tunnel?

Thanks again!

That video is old and might have been done on a system that did not have support for the cyrpto.