Hey everyone,
I have one client on my network that isn’t able to use vpn software because it’s a LG tv (no I don’t want to plug a fire stick in it because I have a nice mouse remote and my wife is used to the lg interface).
I would like to have this tv client access the internet thru my VPN.
I tried doing this a year ago and it was really complicated and difficult, with over 10 steps of heavy configuration.
I’m hoping there’s an easier way to do this or possibly a simple guide that can walk a non enterprise network admin (myself) thru it.
In the firewall you can specify by ip or subnet what gateway to use, setup the vpn and give it a default route in a different routing table and then use the firewall to move traffic to it.
disable wireguard default route
VPN → wireguard → instances
Klick on the Edit button.
At the end there is a checkbox you need to click. This will stop the default-route for OPNsense, which we need.
Assign an Interface to your VPN-connection:
Interfaces → Assignments
There under New Interface select your Wireguard/OpenVPN connection and klick the plus.
Then klick on the newly OPT interface
there, check “Enable Interface” and Rename it, if you want. Everything else you need to leave empty.
Since we don’t want to have inbound traffic, you normally don’t need a firewall rule.
Create a Gateway for your VPN:
System ->Gateways → Single
Add a new one, if it does not exists:
- Name: something like VPN_GW
- Interface: your VPN-Interface
- Address Family: probably IPv4
- Disable the “Disable Gateway Monitoring” checkbox
- Add a Monitor IP, you want to check with (e.g. 8.8.8.8)
Check if it will get green (you have to reload the page, after saving)
Assign your TV a static DHCP-Address:
Services → DHCPv4 → Leases
Search your TV in your list, copy the IP-Adress. Then klick on the plus and add the IP-Adress in the IP-Field. Save it.
Now we will add the Rule on your LAN interface:
Firewall → Rules → LAN
Create a new Rule:
- Action: Pass
- Interface: LAN
- Direction IN
- IPv4/IPv6
- Protocol: any
- Source: Single host or Network → the IP you defined for your Sysstem
- Gateway: the newly created VPN_GW
Save & reload
done. Now every connection your TV will make, will be routed through the VPN. Every conneciton means all of them. If you have somehow more local networks on your Box, you need to add allow-rules of exclusion rules to allow access from the TV to this network like this:
E.g. exclusion:
- Destination / Invert → check it
- Destination: LAN net (or the alias for your multiple networks)
Or create a new rule, that is before your “Route all through VPN”-Rule that forces the gateway back to OPNsense for your networks.
Edit:
Updated disabling wireguard default routes
Thank you for responding. This makes quick sense to me but I have never subnetted before. Would I just choose a totally different ip address for my client to use? Instead of 192.168.1.x, I use 192.168.2.x?
trying this out right now and will let you know!
I don’t understand the terminology or what any of this really is doing so I’m basically just following along and hoping that it works 
I can’t get the gateway to turn green after creating it. I have my VPN interface selected. Is this becuase my VPN isn’t connected correctly?
No, if your tv is on your main subnet you can just specify the ip address of your tv in the firewall rules and that’s it. Subnet would be if you wanted a block of ip’s to match the single rule.
you are probably right here.
see PM for my Screenshots.
Got it. Ya I’ll just need one IP. I’m going to try my hand with a guide I found. Thanks for your help.
No worries, I can’t remember the actual names of the fields, but it’s in the firewall rules where you can pick what gateway or routing table to use.
