CSO, route field in server missing?
-
Hello again,
I`m setting up a remote access ssl/tls+user auth server.
Server looks like this:dev ovpns1 verb 0 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local 192.168.10.11 tls-server server 192.168.168.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server1 username-as-common-name auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' true server1" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'Cert_Server_Home' 1" lport 1194 management /var/etc/openvpn/server1.sock unix ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.4096 crl-verify /var/etc/openvpn/server1.crl-verify tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo adaptive persist-remote-ip float topology subnet tls-version-min 1.2 or-highest prng RSA-SHA512 32 fast-io sndbuf 524288 rcvbuf 524288
Then I head over to CSO and add NAS.
ccd looks ok:push "route 192.168.10.0 255.255.255.0" push "route 192.168.20.0 255.255.255.0" push "route 192.168.30.0 255.255.255.0" iroute 192.168.5.0 255.255.255.0 ifconfig-push 192.168.168.0 255.255.255.0
In CSO-NAS under, "IPv4 Remote Network/s" one can read,
"NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings.",
which is correct afaik because server needs "route 192.168.5.0 255.255.255.0".However, in server there is no field "IPv4 Remote Networks" which should set the "route 192.168.5.0 255.255.255.0"
Off course I could add this route to the Custom options field in server but should the "IPv4 Remote Networks" not be there?
Or is it done through the client-connect/disconnect script? In that case the "NOTE:…." is somewhat confusing?Thanks.
-
The "Remote Networks" field is only available in Peer-to-Peer server setup.
If you want to do it with a remote access server, add a client specific override for that. There the field is also available.
-
Ah I see, thanks, now that you say it ;D
So that would mean the route in server gets set through client-connect script because when I apply setting, I see no route 192.168.5.0/24 added in server.
I should try this live but cannot now so I looking at config files what pfS is doing…..Thanks again.
-
Yes, that adds no static route. The route will be set when the client connection is established and will be deleted again when the connection is closed.
-
Yes, that is clear to me now.
I got confused by two things:
1. In CSO "NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings."
2. In Server "Inter-client communication"2 should not be ticked as one cannot control "who can see who" if ticked.