New Content #13270
closed
OpenVPN client gateway is incorrect when the server does not push routes
Added by Marcos M almost 2 years ago.
Updated almost 2 years ago.
Description
If IPv4 Local network(s)
is empty on the server (and no custom options exist to push routes), the client ovpn-linkup
script does not get passed a gateway which leads to pfSense creating a gateway with the same IP address as the interface. This results in dpinger pinging to/from the same address, and breaks things like policy routing rules for the tunnel.
A workaround could be to have the server always push a route for the tunnel network itself, or modify ovpn-linkup
to somehow get the `route-gateway` value from the PUSH message rather than relying on the route_vpn_gateway
environment variable.
- Description updated (diff)
This has always been the case with OpenVPN. It doesn't populate the environment variables because it doesn't think it knows the remote gateway for routes (even though it's on the interface!) if it doesn't get pushed routes. The server can push remote-gateway x.x.x.1
manually or the client can set a route with the gateway explicitly set (e.g. route x.x.x.x 255.255.255.0 x.x.x.1
) though either way requires hardcoding something which isn't ideal.
The safer choice is for the server to always push at least one route (e.g. the VPN subnet itself if nothing else) and then for clients allow pushed routes but check "don't add/remove routes".
- Status changed from New to Pull Request Review
- Assignee set to Marcos M
- Status changed from Pull Request Review to Resolved
- % Done changed from 0 to 100
Also available in: Atom
PDF