There a millions of sites which describe how to configure the network routing to send all traffic through the VPN tunnel. However, what is the exact opposite?
There is an OpenVPN server configured on the pfSense firewall, and only certain destinations should pass the VPN tunnel. The default route should not use the tunnel.
route -n
Ziel Router Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.x.x 0.0.0.0 UG 50 0 0 tun0
0.0.0.0 192.168.y.y 0.0.0.0 UG 600 0 0 wlp2s0
(Obvisouly, either 1st line is too much or its Metric should be >600).
I want this to be set in Linux Networkmanager and Windows 10. How to do that? PfSense can only force the default gateway to point to the tunnel, so I think that the decision of not using the tunnel for the default route is up to the client.
Best Answer
In other words, you want to achieve the following: _ Send the specific VPN traffic via the VPN tunnel _ All the other traffic should take the default gateway.
You will need static route(s) and a default gateway. For the default gateway leave it as it is: not going via the tunnel.
All the VPN Tunnel traffic should now be dealt by static routes. As it is VPNs you should know your destination subnets. Whether it is sslvpn in tunnel mode or IPSEC vpn, you should probably know where you are sending traffic.
For example if the destination subnet is 10.0.3.0/24, create a static route on the pfSense router: Destination: 10.0.3.0/24 Gateway: IP of the tunnel
Googling give you this page: https://doc.pfsense.org/index.php/Static_Routes
Regarding your question "I want this to be set in Linux Networkmanager and Windows 10." well this is all depends on your setup. To be honest this is not needed and it will quickly become a mess the more you have workstations and subnets. If your users are accessing apps, simple use FQDN and let the pfSense do the job.
With some vendors you will have the possibility to install clients like FortiClient or Cisco Anyconnect that will directly change the routing table of the device. That could help you too. Btw FortiClient but you will need to see the compatibility for the tunnel creation.
Regards