4. CSO, route field in server missing?

CSO, route field in server missing?


  • Hello again,

    I`m setting up a remote access ssl/tls+user auth server.
    Server looks like this:

    dev ovpns1
verb 0
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 192.168.10.11
tls-server
server 192.168.168.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' true server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'Cert_Server_Home' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.4096
crl-verify /var/etc/openvpn/server1.crl-verify 
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float
topology subnet
tls-version-min 1.2 or-highest
prng RSA-SHA512 32
fast-io
sndbuf 524288
rcvbuf 524288

    Then I head over to CSO and add NAS.
    ccd looks ok:

    push "route 192.168.10.0 255.255.255.0"
push "route 192.168.20.0 255.255.255.0"
push "route 192.168.30.0 255.255.255.0"
iroute 192.168.5.0 255.255.255.0
ifconfig-push 192.168.168.0 255.255.255.0

    In CSO-NAS under, "IPv4 Remote Network/s" one can read,
    "NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings.",
    which is correct afaik because server needs "route 192.168.5.0 255.255.255.0".

    However, in server there is no field "IPv4 Remote Networks" which should set the "route 192.168.5.0 255.255.255.0"

    Off course I could add this route to the Custom options field in server but should the "IPv4 Remote Networks" not be there?
    Or is it done through the client-connect/disconnect script? In that case the "NOTE:…." is somewhat confusing?

    Thanks.

    0
  • V

    The "Remote Networks" field is only available in Peer-to-Peer server setup.

    If you want to do it with a remote access server, add a client specific override for that. There the field is also available.

    0

  • Ah I see, thanks, now that you say it ;D

    So that would mean the route in server gets set through client-connect script because when I apply setting, I see no route 192.168.5.0/24 added in server.
    I should try this live but cannot now so I looking at config files what pfS is doing…..

    Thanks again.

    0
  • V

    Yes, that adds no static route. The route will be set when the client connection is established and will be deleted again when the connection is closed.

    0

  • Yes, that is clear to me now.

    I got confused by two things:
    1. In CSO "NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings."
    2. In Server "Inter-client communication"

    2 should not be ticked as one cannot control "who can see who" if ticked.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy