Fail to route internet traffic from OpenVPN server side to CLIENT side
-
Update: if OpenVPN server's "IPv4 Tunnel Network" set to /30, it worked. I have to use /24, the remote internet access is down.
-
@upper-deck
That is an expected behavior.
If you have a bigger tunnel subnet than a /30 the client is not unique, because there are multiple client connections possible and hence the server cannot route packets to him without a adding client specific override. -
@viragomann said in Fail to route internet traffic from OpenVPN server side to CLIENT side:
client specific override
client specific override is configured
-
@upper-deck
Is the common name this one you've stated in the clients certificate?
...CA doesn't sound like a client at all.Also consider that you have to enter the client side networks into the server configs "Remote networks" box as well.
-
the common name is "Site2Site_Client_CA"
/ Existing Certificate / Subject ST=, O=, L=Macau, CN=Site2Site_Client_CA, C=**
client side networks is set into the server config
-
@upper-deck
Seems to match.So check the OpenVPN log on the server. There should be an entry, when the client gets determined and the CSO is applied.
-
local works normal. internet still can not be access
-
@upper-deck
So the CSO is working now, I guess.If you didn't set "redirect gateway" on either side and only stated the networks as seen in the screenshot, this should not affect internet traffic at all.
-
There is no "Redirect IPv4 Gateway" option on the client side. Would you please tell me how to do that at the client side? Any suggestion would be appreciated.
-
@upper-deck
As I got you, internet access on the client works well without the VPN, but doesn't if it is connected. So obviously the client set the default route to the server.The server can push this route to the client if you have "redirect gateway checked. But the option exists on the server only in recent pfSense versions.
On the client you can check "don't pull routes" to avoid that the default route is set.