pfSense Route Single Interface Traffic Through VPN

For one reason or another, you want to route a single network interface through an off-site VPN connection without impacting other interfaces in pfSense. I've seen people need this for a similar use-case to mine, a network that is always routed through a public VPN provider like NordVPN while maintaining a network that goes directly through the ISP gateway still. This allows you to:

  • Enforce traffic on the VPN Network ALWAYS goes through the VPN, otherwise the network loses connectivity
  • Provides a backup network for if the VPN goes down, has compatibility issues or if the download rates are too slow Whatever you're reason for doing it, you've probably noticed there aren't very many guides for doing this around. I had to look in many places to piece together the information I needed to complete this task. Hopefully my guide here, if you found it, will prevent you from having to go through the same process!

TLDR; Quick Guide

  1. Consult the relevant guide from your VPN provider for setting up a VPN Client in pfSense. I'm using NordVPN so I used this
  2. Edit the client to ensure the following are set a. Don't Pull Routes -> True (Checked) b. Don't add/remove Routes -> True (Checked) c. Pull DNS -> False (Unchecked)
  3. Create a new VLAN for the network you'll be routing through the VPN Client. a. Go to Interfaces -> VLANs -> Add b. Select the hardware interface you'll route this through c. Set the VLAN tag as you desire
  4. Now go to Interfaces -> Assignments a. Create an interface for the VPN Client. You can leave settings default. b. Create an interface for your new VLAN, we'll call it 'VPNOut'
  5. Now go to Interfaces -> Assignments -> VPNOut a. Set IPv4 Configuration type to Static IPv4 b. IPv6 Config -> None c. Set IP to gateway IP of your subnet, for me it's 10.200.0.1. We want pfSense to be the gateway.
  6. Now go to Services -> DHCP -> VPNOut. You can configure this however you choose for clients that will connect to this network. For me I set a few static entries for workloads I'm running on this network, and set a DHCP range to allow hot-plug clients to access.
  7. Go to Firewall -> Rules -> VPNOut a. I highly suggest you tune this to your own needs, but just to get it working you need to add an allow all rule routed through the VPN Gateway. You should copy this rule and narrow in on the exact traffic you're expecting to enter and exit via the gateway. You would also add exceptions for other networks controlled via pfSense if you need. For the purpose of this guide, I'll just show you how to get it working. b. Click Add i. Action - Pass ii. Interface - VPNout iii. Address Family - IPv4 iv. Protocol - any v. Source - any vi. Destination - any vii. Click 'Advanced Options', set gateway == Interface for your VPN Client
  8. Go to Firewall -> Nat a. Switch Mode to Manual Outbound NAT b. Add a new rule: i. Interface - VPNClientInterface ii. Protocol - Any iii. Source - Network -> CIDR for your VLAN subnet (10.200.0.0/24 for me) iv. Destination - Any
  9. In this configuration, DNS traffic will leak through your gateway. If you don't care about that, you're done! If you do, you can: a. Add your VPN provider's DNS servers to System -> General -> DNS Servers. Then in your firewall allow DNS requests to those servers only on your VPNOut interface VIA the VPN gateway only! Deny any DNS requests not over the VPN Gateway. That's it! This shouldn't impact other interfaces on your network, but anything running in VPNOut should be routed through your VPN provider!