New Content #13270closed
OpenVPN client gateway is incorrect when the server does not push routes
IPv4 Local network(s) is empty on the server (and no custom options exist to push routes), the client
ovpn-linkup script does not get passed a gateway which leads to pfSense creating a gateway with the same IP address as the interface. This results in dpinger pinging to/from the same address, and breaks things like policy routing rules for the tunnel.
A workaround could be to have the server always push a route for the tunnel network itself, or modify
ovpn-linkup to somehow get the `route-gateway` value from the PUSH message rather than relying on the
route_vpn_gateway environment variable.
Updated by Jim Pingle 2 months ago
This has always been the case with OpenVPN. It doesn't populate the environment variables because it doesn't think it knows the remote gateway for routes (even though it's on the interface!) if it doesn't get pushed routes. The server can push
remote-gateway x.x.x.1 manually or the client can set a route with the gateway explicitly set (e.g.
route x.x.x.x 255.255.255.0 x.x.x.1) though either way requires hardcoding something which isn't ideal.
The safer choice is for the server to always push at least one route (e.g. the VPN subnet itself if nothing else) and then for clients allow pushed routes but check "don't add/remove routes".
Updated by Marcos M about 2 months ago
- Status changed from New to Pull Request Review
- Assignee set to Marcos M
Updated by Jim Pingle about 1 month ago
- Status changed from Pull Request Review to Resolved
- % Done changed from 0 to 100
I fixed a couple extra things I noticed after merging: https://gitlab.netgate.com/docs/pfSense-docs/-/commit/0eb434070559a2216147942ebe37b955742711ed