Last Updated on August 4, 2022 by Thiago Crepaldi
While I was writing a post on how to route specific WEB traffic through VPN, I’ve got inspired and decided to write another post on how to route specific DEVICES (your NAS server, laptop, iPhone, etc) through VPN while the rest of your house still uses the default ISP gateway. This kind of approach might be interesting because your VPN connection is not always fast or stable enough to hold your entire network, or maybe some websites/apps don’t work properly behind a VPN (e.g. internet banking).
Just like before, the idea behind this post is creating a Firewall alias on pfSense and then modify your LAN firewall rules to switch to a different gateway (aka VPN gateway) when the specified devices are detected.
A requirement for this post is to create a firewall alias called RFC1918 as discussed in previous posts. I will assume your VPN interface is OPT1, but you can use a different name.
Navigate to Firewall >> Aliases >> IP and click on Add and do as follows:
- Name: DEVICES_BEHIND_VPN_USA
- Description: List of IPs/Hostnames that must be routed through US VPN for privacy
- Type: Host(s)
- IP or FQDN: Here you add the IP or hostname you want to hide behind the VPN
If you want to add more devices, click on Add Host and add the IP/FQDN.
When you are done, click on Save and Apply changes. Now we need to update your firewall rules to use this alias with the list of devices to route their traffic through a VPN gateway.
Go to Firewall >> Rules >> LAN and look carefully to the existing rules. At the bottom there will be a PASS ALL rule, which allows traffic to go from LAN on any port/protocol to any destination IP/port. The trick is to add our new rule before the pass all rule. That is because the pass all rule tunnels traffic coming from all devices through the WAN gateway, so we need to create a rule that sends traffic from the specific devices to OPT1 (or however you named your VPN gateway interface) before.
Next, click on Add to create a new firewall rule:
- Edit Firewall rule
- Action: Pass
- Address Family: IPv4 (I am not using IPv6 on my homelab yet)
- Protocol: Any
- Select “Single host or alias“
- Type “DEVICES_BEHIND_VPN_USA” as source address
- Invert match: checked
- Select “Single host or alias”
- Type “RFC1918” as destination address
- Extra options
- Log: unchecked
- Description: Force DEVICES_BEHIND_VPN_USA devices to go through OPT1 to reach Internet
- Advanced options
- Leave everything as is
- Gateway: Select OPT1
Press Save and Apply changes. After a couple seconds, traffic coming from the DEVICES_BEHIND_VPN_USA devices will be routed trough your VPN tunnel.
One little trick that I use to test it is adding my cellphone or laptop to DEVICES_BEHIND_VPN_USA and then visit myip.com and check that the IP listed is not my ISP’s – but the one from my VPN provider.
Optional: Adding a Kill switch to your VPN connection
A kill switch is a mechanism in which no traffic is allowed through your ISP when the encrypted [VPN client] connection drops. This is important for the scenarios in which is preferable to loose connectivity than risking exposing data outside the tunnel.
You will have to modify the firewall rule you just created above at Firewall >> Rules >> LAN. Scroll to Advanced Options and change Tag field to vpntraffic. Click on Save and Apply changes.
At this point, all traffic will be tagged with vpntraffic. This will be used to identify traffic coming from VPN so that we can block it in the next step.
Go to Firewall >> Rules >> Floating and click in Add (up arrow) to create a new rule that will be applied before all others related to your WAN connection:
- Edit Firewall Rule
- Action: Block
- Disabled: unchecked
- Quick: checked
- Interface: WAN
- Direction: Any
- Address Family: IPv4
- Protocol: Any
- Invert match: unchecked
- Invert match: unchecked
- Extra Options
- Description: Kill switch for OpenVPN client traffic
- Click on Display Advanced.
- Advanced Options
- Tagged: vpntraffic
Click on Save and Apply changes.
Note that we have tagged traffic with the vpntraffic label in the LAN interface and blocked it in the Floating interface before it could reach WAN, in case OPT1 gets down.
As a test you can disconnect the VPN connection and check your connectivity. It should be offline until you reconnect the VPN.
That is it and safe browsing!