Creating a Policy Route to Send All Traffic from Host Through OpenVPN

This article is part of a series.

Now that the OpenVPN tunnel is up and the assigned interface is created, it is time to route traffic from the subject local host over the VPN.

This is the network being demonstrated in this example:

pfSense XenServer Lab Diagram OpenVPN Client

Host A1 traffic should be routed across the VPN tunnel. Since this traffic will arrive on LAN, that is the interface upon which to place the necessary firewall rule.

Navigate to Firewall > Rules, LAN tab.

It will resemble this:

Default LAN Rules

The second rule passes all traffic from LAN out the default gateway. A rule must be placed above that rule to pass the specific traffic from the subject host out the VPN gateway instead. Click the pfSense icon plus icon at the botton of the rule set to add a rule.

Edit firewall rule

Action: Pass
Interface: LAN
TCP/IP Version: IPv4
Protocol: any
Source: Type: Single host or alias Address:
Destination: any

Advanced features


Click Save and the rule set will look like this:

VPN Rules Out of Order Screenshot

This is not the order of firewall rules necessary to accomplish the stated goal. Interface firewall rules are matched top down so the rule matching source LAN net will match the traffic before the rule matching source so the traffic from that host will not be properly routed according to the intended policy.

Mark the checkbox next to the rule and click the pfSense icon left icon on the default rule to move the checked rule above it.

VPN Rule Reorder Screenshot

Click Apply changes and traffic originating from will now be routed over the VPNBook connection.

Traffic will not flow, however, because we still need to instruct the firewall to perform outbound NAT for host with a translation to the VPN address.

Navigate to Firewall > NAT, Outbound tab and select the Hybrid Outbound NAT rule generation selector. Click Save.

In the Mappings section, click pfSense icon plus to add a new mapping.

Protocol: any
Source: Type: Network Address:
Destination: any
Translation: Address: Interface address
Description: NAT for LAN to VPNBook Euro2

Note that the entire /24 is included in the Outbound NAT rule. This is because Outbound NAT rules do not route traffic. They simply detail what NAT actions should be taken when outbound traffic matches the rule on its way out the specified interface. If traffic is not routed out the interface, the rule is not hit. Doing it this way means future hosts can be policy routed out this interface without having to change or add another NAT rule.