How to Correctly Modify Routes for OpenVPN Clients?

GruensFroeschli

if you want to use the redirect option, try reading the official openVPN howto:
http://openvpn.net/howto.html#redirect

strick1226

Thanks for the link!  I read over the howto 500 times last night but missed this part.

Hopefully you can set this so it's a partial redirect, only for certain networks/addresses?  Will try this tonight.

Thanks again!

strick1226

OK, I tried putting this in my custom options line in the pfSense OpenVPN server settings:

push "redirect-gateway def1"

Still no go.  It looks like I have DNS, as a tracert shows name resolution is working, but it dies at the gateway address of the OpenVPN tunnel (in this case, my machine is at 192.168.51.6, the gateway is displayed as 192.168.51.5).

Do I have to add extra rules somewhere to allow the traffic?  Looking through this m0n0wall guide it sounds like they have a very handy OpenVPN tab in the firewall rules:

http://www.closeconsultants.com/~peter/m0n0-ovpn-wifi.html  (all the way at the bottom)

I can't find anything that looks like a way to specify to allow OpenVPN traffic to utilize the pfSense gateway…

strick1226

OK, I think I finally have this figured out.

Sorta.

I misunderstood the correct address range assignments.

My setup:

LAN: 192.168.50.1

Was trying to set OpenVPN machines to address pool of 192.168.200.0/24.  Not working…

Just tried 192.168.50.0/25 for my address pool.  Holy crap it works!

I thought that was going to overrun the original IP range...
I should have read up more on TCPIP :)

strick1226

OK…

So if I set my OpenVPN machines address pool to 192.168.50.0/25 then I can access all addresses through the VPN--EXCEPT my workstations from 192.168.50.60-65 .
If I set my OpenVPN machines address pool to 192.168.51.0/25 then I can access my workstations from 192.168.50-65, but not a single other thing.

Am I missing something really basic here?  Sorry if this is a stupid question...

luma

I think you forgot to enable advanced outbound NAT for your ovpn client network (ex : 192.168.200.0/24).

So you will be allowed to go out throught your OVPN server!

strick1226

luma,

Thanks for the reply.  Man, I hope this is it!  :)

Will try tonight and report back.

luma

I hope too :)

strick1226

luma,

That's EXACTLY what it was!!!!

I owe you a cold one!  Heck, make that 12.  :D

Thanks for your help!!!

luma

Good news!