Project

General

Profile

Actions

New Content #13270

closed

OpenVPN client gateway is incorrect when the server does not push routes

Added by Marcos M 2 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:

Description

If IPv4 Local network(s) is empty on the server (and no custom options exist to push routes), the client ovpn-linkup script does not get passed a gateway which leads to pfSense creating a gateway with the same IP address as the interface. This results in dpinger pinging to/from the same address, and breaks things like policy routing rules for the tunnel.

A workaround could be to have the server always push a route for the tunnel network itself, or modify ovpn-linkup to somehow get the `route-gateway` value from the PUSH message rather than relying on the route_vpn_gateway environment variable.

Actions #1

Updated by Marcos M 2 months ago

  • Description updated (diff)
Actions #2

Updated by Jim Pingle 2 months ago

This has always been the case with OpenVPN. It doesn't populate the environment variables because it doesn't think it knows the remote gateway for routes (even though it's on the interface!) if it doesn't get pushed routes. The server can push remote-gateway x.x.x.1 manually or the client can set a route with the gateway explicitly set (e.g. route x.x.x.x 255.255.255.0 x.x.x.1) though either way requires hardcoding something which isn't ideal.

The safer choice is for the server to always push at least one route (e.g. the VPN subnet itself if nothing else) and then for clients allow pushed routes but check "don't add/remove routes".

Actions #3

Updated by Marcos M about 2 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Marcos M
Actions #4

Updated by Jim Pingle about 1 month ago

  • Status changed from Pull Request Review to Resolved
  • % Done changed from 0 to 100

Merged.

I fixed a couple extra things I noticed after merging: https://gitlab.netgate.com/docs/pfSense-docs/-/commit/0eb434070559a2216147942ebe37b955742711ed

Actions

Also available in: Atom PDF