CSO, route field in server missing?

  • Hello again,

    I`m setting up a remote access ssl/tls+user auth server.
    Server looks like this:

    dev ovpns1
    verb 0
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    keepalive 10 60
    proto udp
    cipher AES-256-CBC
    auth SHA512
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    client-config-dir /var/etc/openvpn-csc/server1
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' true server1" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'Cert_Server_Home' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.4096
    crl-verify /var/etc/openvpn/server1.crl-verify 
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo adaptive
    topology subnet
    tls-version-min 1.2 or-highest
    prng RSA-SHA512 32
    sndbuf 524288
    rcvbuf 524288

    Then I head over to CSO and add NAS.
    ccd looks ok:

    push "route"
    push "route"
    push "route"

    In CSO-NAS under, "IPv4 Remote Network/s" one can read,
    "NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings.",
    which is correct afaik because server needs "route".

    However, in server there is no field "IPv4 Remote Networks" which should set the "route"

    Off course I could add this route to the Custom options field in server but should the "IPv4 Remote Networks" not be there?
    Or is it done through the client-connect/disconnect script? In that case the "NOTE:…." is somewhat confusing?


  • The "Remote Networks" field is only available in Peer-to-Peer server setup.

    If you want to do it with a remote access server, add a client specific override for that. There the field is also available.

  • Ah I see, thanks, now that you say it ;D

    So that would mean the route in server gets set through client-connect script because when I apply setting, I see no route added in server.
    I should try this live but cannot now so I looking at config files what pfS is doing…..

    Thanks again.

  • Yes, that adds no static route. The route will be set when the client connection is established and will be deleted again when the connection is closed.

  • Yes, that is clear to me now.

    I got confused by two things:
    1. In CSO "NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings."
    2. In Server "Inter-client communication"

    2 should not be ticked as one cannot control "who can see who" if ticked.