Creating a Policy Route to Send All Traffic from Host Through OpenVPN
This article is part of a series.
Now that the OpenVPN tunnel is up and the assigned interface is created, it is time to route traffic from the subject local host over the VPN.
This is the network being demonstrated in this example:
Host A1 traffic should be routed across the VPN tunnel. Since this traffic will arrive on LAN, that is the interface upon which to place the necessary firewall rule.
Navigate to Firewall > Rules, LAN tab.
It will resemble this:
The second rule passes all traffic from LAN out the default gateway. A rule must be placed above that rule to pass the specific traffic from the subject host out the VPN gateway instead. Click the icon at the botton of the rule set to add a rule.
Edit firewall rule
TCP/IP Version: IPv4
Source: Type: Single host or alias Address: 172.26.0.100
Click Save and the rule set will look like this:
This is not the order of firewall rules necessary to accomplish the stated goal. Interface firewall rules are matched top down so the rule matching source LAN net will match the traffic before the rule matching source 172.26.0.100 so the traffic from that host will not be properly routed according to the intended policy.
Mark the checkbox next to the 172.26.0.100 rule and click the icon on the default rule to move the checked rule above it.
Click Apply changes and traffic originating from 172.26.0.100 will now be routed over the VPNBook connection.
Traffic will not flow, however, because we still need to instruct the firewall to perform outbound NAT for host 172.26.0.100 with a translation to the VPN address.
Navigate to Firewall > NAT, Outbound tab and select the Hybrid Outbound NAT rule generation selector. Click Save.
In the Mappings section, click to add a new mapping.
Source: Type: Network Address: 172.26.0.0/24
Translation: Address: Interface address
Description: NAT for LAN to VPNBook Euro2
Note that the entire /24 is included in the Outbound NAT rule. This is because Outbound NAT rules do not route traffic. They simply detail what NAT actions should be taken when outbound traffic matches the rule on its way out the specified interface. If traffic is not routed out the interface, the rule is not hit. Doing it this way means future hosts can be policy routed out this interface without having to change or add another NAT rule.