How to do LAN->WAN through VPN (OpenVPN)?

Hello Zeneth,

Thank you for contacting the Sophos Community.

I am not sure if I understood your query correctly, but for example in my case I have a computer with IP 192.168.15.10 on my LAN, I use ExpressVPN, and I have to WAN interfaces, so I have a rule configured in the XG which is 

Source Zones = LAN 

Source Networks and devices = 192.168.15.10

Destination Zone = WAN

Destination Networks = ANY

Use outbound address = MASQ

Primary Gateway = ISP1

Backup Gateway = ISP2 

So this way I am sure all of the 192.168.15.10 goes trough the ISP1. Also when I connect to the VPN the traffic goes through the same WAN interface.

Is this what you are trying to achieve?

regards,

Hello Zeneth,

Thank you for contacting the Sophos Community.

I am not sure if I understood your query correctly, but for example in my case I have a computer with IP 192.168.15.10 on my LAN, I use ExpressVPN, and I have to WAN interfaces, so I have a rule configured in the XG which is 

Source Zones = LAN 

Source Networks and devices = 192.168.15.10

Destination Zone = WAN

Destination Networks = ANY

Use outbound address = MASQ

Primary Gateway = ISP1

Backup Gateway = ISP2 

So this way I am sure all of the 192.168.15.10 goes trough the ISP1. Also when I connect to the VPN the traffic goes through the same WAN interface.

Is this what you are trying to achieve?

regards,

Hi emmosophos,

Thanks for the reply. Your use case is somewhat different and it also works for me if I manually configure the VPN client connection on each specific device.

What I'm looking for is having XG itself connect to a VPN service (as a client) where I could easily create a rule in XG to route traffic for specific devices to the WAN through this VPN tunnel.

Thanks.

I can see that OpenVPN is already installed in XG Firewall:

SFVH_SO01_SFOS 18.0.1 MR-1-Build396# which openvpn
/usr/bin/openvpn

SFVH_SO01_SFOS 18.0.1 MR-1-Build396# openvpn --version
OpenVPN 2.3.6 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun  5 2020
library versions: OpenSSL 1.0.2r-fips  26 Feb 2019, LZO 2.09
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_nls=no enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=no enable_plugin_down_root=no enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=no enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no

So I believe it would be something trivial to expose and allow client connections via the UI :)