Last Updated on August 4, 2022 by Thiago Crepaldi
For those who followed my previous post on how to configure a VPN client on pfSense, one cool application for it is to route only specific websites through the VPN while the rest of the traffic goes through the default ISP gateway, as usual. That is interesting when you want to use an IP from another country to read local news, or browse with privacy, or even watch that movie that only streams on your streaming service in another country catalog. Yeah, I know you do!
The idea behind this post is creating a Firewall alias on your pfSense and then modify your LAN firewall rules to switch to a different gateway (aka the VPN gateway) when the selected websites are detected. Here we go
For this post, I will assume your VPN interface is OPT1, but you can use a different name.
Navigate to Firewall >> Aliases >> IP and click on Add and do as follows:
Properties
- Name: WEBSITES_BEHIND_VPN_USA
- Description: List of URLs that must be routed through US VPN for privacy
- Type: Host(s)
Host(s)
- IP or FQDN: google.com (Here you add the website you want to hide behind the VPN)
If you want to add more URLs (hosts), click on Add Host and add the IP/FQDN.
When you are done, click on Save and Apply changes. Now we need to update your firewall rules to use this list of websites to decide which gateway your traffic goes through.
Go to Firewall >> Rules >> LAN and look carefully to the existing rules. At the bottom there will be a PASS ALL rule, which allows traffic to go from LAN on any port/protocol to any destination IP/port. The trick is to add a new rule right before the pass all rule. That is because the pass all rule tunnels all traffic through the WAN gateway, so we need to create a rule that sends specific traffic to OPT1 gateway (or however you named your VPN gateway interface) before.
Next, click on Add to create a new firewall rule:
- Edit Firewall rule
- Action: Pass
- Address Family: IPv4 (I am not using IPv6 on my homelab yet)
- Protocol: Any
- Source
- Any
- Destination
- Select “Single host or alias”
- Type “WEBSITES_BEHIND_VPN_USA” as destination address
- Extra options
- Log: unchecked
- Description: Force WEBSITES_BEHIND_VPN_USA to go through OPT1 to reach Internet
- Advanced options
- Leave everything as is
- Gateway: Select OPT1
Press Save and Apply changes. After a couple seconds, your traffic for all websites listed at WEBSITES_BEHIND_VPN_USA will be routed trough your VPN tunnel.
One trick that I use to test is adding “myip.com” to WEBSITES_BEHIND_VPN_USA and then visit it and check that the IP listed is not the ISP’s – but the one from the VPN provider.
Optional: Adding a Kill switch to your VPN connection
A kill switch is a mechanism in which no traffic is allowed through the ISP’s interface when the encrypted [VPN client] connection drops. This is important for the scenarios in which is preferable to loose connectivity than risking exposing data outside the tunnel
You will have to modify the firewall rule that was created above at Firewall >> Rules >> LAN. Scroll down to Advanced Options and fill Tag field to vpntraffic. Click on Save and Apply changes.
At this point, all traffic will be tagged with vpntraffic. This will be used to identify traffic coming from VPN so that we can block it in the next step.
Go to Firewall >> Rules >> Floating and click in Add (up arrow) to create a new rule that will be applied before all others related to your WAN connection:
- Edit Firewall Rule
- Action: Block
- Disabled: unchecked
- Quick: checked
- Interface: WAN
- Direction: Any
- Address Family: IPv4
- Protocol: Any
- Source
- Invert match: unchecked
- Any
- Destination
- Invert match: unchecked
- Any
- Extra Options
- Description: Kill switch for OpenVPN client traffic
- Click on Display Advanced.
- Advanced Options
- Tagged: vpntraffic
Click on Save and Apply changes.
Note that we have tagged traffic with the vpntraffic label in the LAN interface and blocked it in the Floating interface before it could reach WAN, in case OPT1 interface gets down.
For testing, you can disconnect the VPN connection and check your connectivity. It should be offline until you reconnect the VPN.
That is it and safe browsing!
Thank you for the guide!
What VPN service do you use as your endpoint in the US?
I usually wait for the Black Friday deals and get one of the 3 years package. I have tried both PIA and Surfshark. Both are to use on pfSense, especially for US locations. I don’t try to use Netflix in different countries, but some people consider this an important criteria for the decision
Hi there, appreciate the guide.
Quick one do you have a source on where you get all the websites domain i.e netflix
Sorry, unfortunately I don’t. If you find, let me know and I will create a post for it. Usually these lists are provided by the companies behind the DNS blocking solutions – and are paid. I am sure Netflix must rotate IPs to make it hard, but you can always use Wireshark to analyze your traffic and learn their IPs.
I’d not understood the purpose of the tag before – nice. I block traffic leaking if the gateway goes down by checking the box at System > Advanced > Miscellaneous > Gateway Monitoring > Skip rules when gateway is down. Then, if the gateway is down (i.e. the VPN is down), the rule that would forward the traffic isn’t created at all and there’s no route. It certainly works if I turn off the VPN anyway.
Re creating aliases for Netflix IP addresses, you can use the pfBlocker package to generate aliases dynamically to look up the relevant IP addresses from Netflix’s ASN that you can then use in a firewall rule as desired (I’m doing the opposite; I want Netflix to skip the VPN). You can set up separate aliases for Amazon, BBC, whatever, and then use all of the matched addresses in your rules. And since pfBlocker updates on a schedule, the aliases are also kept up to date. It works really well.
Found this a while back (not my own work):
https://uniteinnovations.com/tutorials/bypassing-your-vpn-for-netflix-and-amazon-prime-video-with-pfsense/
I think you also need to add an outbound rule on the OpenVPN Interface for all of your network IP’s don’t you?