New Content #13270
closed
OpenVPN client gateway is incorrect when the server does not push routes
100%
Description
If IPv4 Local network(s) is empty on the server (and no custom options exist to push routes), the client ovpn-linkup script does not get passed a gateway which leads to pfSense creating a gateway with the same IP address as the interface. This results in dpinger pinging to/from the same address, and breaks things like policy routing rules for the tunnel.
A workaround could be to have the server always push a route for the tunnel network itself, or modify ovpn-linkup to somehow get the `route-gateway` value from the PUSH message rather than relying on the route_vpn_gateway environment variable.
Updated by Jim Pingle almost 2 years ago
This has always been the case with OpenVPN. It doesn't populate the environment variables because it doesn't think it knows the remote gateway for routes (even though it's on the interface!) if it doesn't get pushed routes. The server can push remote-gateway x.x.x.1 manually or the client can set a route with the gateway explicitly set (e.g. route x.x.x.x 255.255.255.0 x.x.x.1) though either way requires hardcoding something which isn't ideal.
The safer choice is for the server to always push at least one route (e.g. the VPN subnet itself if nothing else) and then for clients allow pushed routes but check "don't add/remove routes".
Updated by Marcos M almost 2 years ago
- Status changed from New to Pull Request Review
- Assignee set to Marcos M
Updated by Jim Pingle almost 2 years ago
- Status changed from Pull Request Review to Resolved
- % Done changed from 0 to 100
Merged.
I fixed a couple extra things I noticed after merging: https://gitlab.netgate.com/docs/pfSense-docs/-/commit/0eb434070559a2216147942ebe37b955742711ed