Bug #13278


OpenVPN dynamic gateway created incorrectly when not pulling routes or server pushes no routes

Added by Adrien Carlyle about 2 years ago. Updated about 2 years ago.

Needs Patch
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


IF: I configure OpenVPN client and set the "Don't pull routes" check box
IF: I include the advanced option: pull-filter ignore "redirect-gateway";

pfSense creates a gateway entry for the interface that uses the IP address of the interface instead of the gateway address that is handed out by the server.
This stops any policy based routes from working as expected.

However, if I manually create a gateway that uses the proper address, policy based routes work.

With neither option checked, my routing table has these entries for the ovpnc interface, but ALL traffic is redirected over this tunnel.
Destination Gateway link#13
the dynamic gateway entry shows as the gateway IP address

If I use: pull-filter ignore "redirect-gateway"; the routes added look like this:
Destination Gateway link#13
the dynamic gateway entry uses the "Virtual Address" assigned to the VPN client

Actions #1

Updated by Adrien Carlyle about 2 years ago

This appears to be happening because OpenVPN doesn't populate these environment variables when either option is selected.

Which causes the ovpn-linkup script to use the interface address in the /tmp/interface_router file

I've modified the ovpn-linkup for now as follows and it's putting the value I'd expect to see in the gateway now. Although I'm sure there's a much more sane way to implement a fix for this.

if [ "${dev_type}" = "tun" ]; then

        if [ -n "${route_vpn_gateway}" ]; then
                /bin/echo ${route_vpn_gateway} > /tmp/${1}_router
        elif [ -n "${ifconfig_remote}" ]; then
                /bin/echo ${ifconfig_remote} > /tmp/${1}_router
        elif [ -n "${ifconfig_local}" ]; then
                /bin/echo ${ifconfig_local} > /tmp/${1}_router
                ifconfig ${1} | grep "inet " | cut -f2- -d ">" | cut -f1 -d "n" | sed 's/ //g' > /tmp/${1}_router

Actions #2

Updated by Jim Pingle about 2 years ago

  • Project changed from pfSense Plus to pfSense
  • Subject changed from OpenVPN dynamic gateway created incorrectly when not allowing default gateway redirect to OpenVPN dynamic gateway created incorrectly when not pulling routes or server pushes no routes
  • Category changed from OpenVPN to OpenVPN
  • Status changed from New to Needs Patch
  • Affected Plus Version deleted (22.01)

We're aware of this, but it's an OpenVPN bug, not a bug in our code. As you see, the variables are unpopulated even when they should be.

When set not to pull routes, or when the server does not push any routes, OpenVPN cannot determine the remote gateway properly and sets the gateway to its own IP address. In most cases this is harmless, however, because that route just nudges traffic to enter OpenVPN and OpenVPN makes its own routing decisions later. In the non-DCO case this works like it always has, but in the DCO case it can be trickier, though it should work properly on the most recent builds.

One workaround is to allow the client to pull routes (uncheck Don't pull routes) and check Don't add/remove routes instead. That will let OpenVPN find the remote gateway but won't affect the contents of the routing table. This works for the case when the client is opting not to accept routes but it doesn't help when the server doesn't push any routes. Making the server push at least one 'dummy' route to a meaningless network in addition to these client settings will work around it, though.

The code in /usr/local/sbin/ovpn-linkup tries to check route_vpn_gateway and ifconfig_remote but they are both empty so it falls back to ifconfig_local. Looking at the environment variables available there aren't any that have the remote address in there, despite the fact that it's actually on the interface.

Using ifconfig to get the remote address is not a viable long term fix.

There is an OpenVPN bug entry that suggests the empty/unset ifconfig_remote is due to subnet topology, which may be true, though it doesn't explain why it's actually used on the interface but not present in the environment.

There is a separate OpenVPN bug entry about the lack of route_vpn_gateway when no routes are pushed/pulled.

This really needs to be fixed upstream in OpenVPN rather than trying to hack around it locally.


Also available in: Atom PDF