Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CSO, route field in server missing?

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • PippinP
      Pippin
      last edited by

      Hello again,

      I`m setting up a remote access ssl/tls+user auth server.
      Server looks like this:

      dev ovpns1
verb 0
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 192.168.10.11
tls-server
server 192.168.168.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' true server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'Cert_Server_Home' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.4096
crl-verify /var/etc/openvpn/server1.crl-verify 
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float
topology subnet
tls-version-min 1.2 or-highest
prng RSA-SHA512 32
fast-io
sndbuf 524288
rcvbuf 524288

      Then I head over to CSO and add NAS.
      ccd looks ok:

      push "route 192.168.10.0 255.255.255.0"
push "route 192.168.20.0 255.255.255.0"
push "route 192.168.30.0 255.255.255.0"
iroute 192.168.5.0 255.255.255.0
ifconfig-push 192.168.168.0 255.255.255.0

      In CSO-NAS under, "IPv4 Remote Network/s" one can read,
      "NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings.",
      which is correct afaik because server needs "route 192.168.5.0 255.255.255.0".

      However, in server there is no field "IPv4 Remote Networks" which should set the "route 192.168.5.0 255.255.255.0"

      Off course I could add this route to the Custom options field in server but should the "IPv4 Remote Networks" not be there?
      Or is it done through the client-connect/disconnect script? In that case the "NOTE:…." is somewhat confusing?

      Thanks.

      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
      Halton Arp

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        The "Remote Networks" field is only available in Peer-to-Peer server setup.

        If you want to do it with a remote access server, add a client specific override for that. There the field is also available.

        1 Reply Last reply Reply Quote 0
        • PippinP
          Pippin
          last edited by

          Ah I see, thanks, now that you say it ;D

          So that would mean the route in server gets set through client-connect script because when I apply setting, I see no route 192.168.5.0/24 added in server.
          I should try this live but cannot now so I looking at config files what pfS is doing…..

          Thanks again.

          I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
          Halton Arp

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Yes, that adds no static route. The route will be set when the client connection is established and will be deleted again when the connection is closed.

            1 Reply Last reply Reply Quote 0
            • PippinP
              Pippin
              last edited by

              Yes, that is clear to me now.

              I got confused by two things:
              1. In CSO "NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings."
              2. In Server "Inter-client communication"

              2 should not be ticked as one cannot control "who can see who" if ticked.

              I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
              Halton Arp

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.