VPN Part 4 - Aliases and Firewall
This is Part 3 of the VPN configuration. If part 1 and 2 configuration isn’t complete, this will cause problems.
At this point, the connection is up, there’s an IP address on it, this section will set up rules to allow traffic from internal networks to be sent across the VPN.
It will configure:
- Alias group(s) that will hold the IP/Networks of servers to pass over the VPN
- Outbound NAT rules to modify traffic so it can go over the VPN
- Firewall rules to specify what traffic to configure
Creating the Aliases
- Navigate the Web Interface to Firewall -> Aliases
- Click + to add an Alias
Add an alias as follows:
| Field | Value | Notes |
|---|---|---|
| Name | VPN_Websites | Try to avoid any odd names/putting spaces in etc |
| Type | Networks | |
| Categories | VPN_Websites |
- Click Save
- Click + to add a new Alias for IPv6 if needed:
| Field | Value | Notes |
|---|---|---|
| Name | VPN_Websites_IPv6 | Same comment about spaces as above |
| Type | Networks | |
| Categories | VPN_Websites |
- Click Save
- Click Apply
Creating a NAT Rule
These rules will inspect traffic coming into the router, and if it should be sent over the VPN, it will change the gateway to one of the VPN gateways that has been configured
Configure OPNsense to Allow Manual NAT Rules
- Navigate to Firewall -> NAT -> Outbound
- In the Mode section, select Hybrid outbound NAT rule generation
- Click Apply
Make the NAT Rules
- Ensue the Web Interface is at Firewall -> NAT -> Outbound
- In the Manual Rules section, click +
- Create a rule for IPv4 as follows:
| Field | Value | Notes |
|---|---|---|
| Interface | WG_MULLVAD | |
| TCP/IP Version | IPv4 | |
| Source Address | Your Internal Network - LAN/INT etc | |
| Destination Address | VPN_Websites | |
| Translation/Target | WG_MULLVAD address |
- Click Save
- Create another rule for IPv6
| Field | Value |
|---|---|
| Interface | WG_MULLVAD |
| TCP/IP Version | IPv6 |
| Source Address | Your Internal Network - LAN/INT etc |
| Destination Address | VPN_Websites_IPv6 |
| Translation Target | WG_MULLVAD address |
- Click Save
- Click Apply
That’s it, all the configuration is done for Synclias
Testing Connectivity before using Synclias
If you’d like to test the VPN connectivity, you can route all of your traffic over the VPN :
- Edit the firewall rules to remove the relevant “VPN_Websites” and apply your changes
- Test with whatever “What is my IP address” site you like
- Remember to put the VPN Website alias back in when done!