Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CSO, route field in server missing?

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • PippinP
      Pippin
      last edited by

      Hello again,

      I`m setting up a remote access ssl/tls+user auth server.
      Server looks like this:

      dev ovpns1
      verb 0
      dev-type tun
      dev-node /dev/tun1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-256-CBC
      auth SHA512
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      client-connect /usr/local/sbin/openvpn.attributes.sh
      client-disconnect /usr/local/sbin/openvpn.attributes.sh
      local 192.168.10.11
      tls-server
      server 192.168.168.0 255.255.255.0
      client-config-dir /var/etc/openvpn-csc/server1
      username-as-common-name
      auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' true server1" via-env
      tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'Cert_Server_Home' 1"
      lport 1194
      management /var/etc/openvpn/server1.sock unix
      ca /var/etc/openvpn/server1.ca 
      cert /var/etc/openvpn/server1.cert 
      key /var/etc/openvpn/server1.key 
      dh /etc/dh-parameters.4096
      crl-verify /var/etc/openvpn/server1.crl-verify 
      tls-auth /var/etc/openvpn/server1.tls-auth 0
      comp-lzo adaptive
      persist-remote-ip
      float
      topology subnet
      tls-version-min 1.2 or-highest
      prng RSA-SHA512 32
      fast-io
      sndbuf 524288
      rcvbuf 524288
      

      Then I head over to CSO and add NAS.
      ccd looks ok:

      push "route 192.168.10.0 255.255.255.0"
      push "route 192.168.20.0 255.255.255.0"
      push "route 192.168.30.0 255.255.255.0"
      iroute 192.168.5.0 255.255.255.0
      ifconfig-push 192.168.168.0 255.255.255.0
      

      In CSO-NAS under, "IPv4 Remote Network/s" one can read,
      "NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings.",
      which is correct afaik because server needs "route 192.168.5.0 255.255.255.0".

      However, in server there is no field "IPv4 Remote Networks" which should set the "route 192.168.5.0 255.255.255.0"

      Off course I could add this route to the Custom options field in server but should the "IPv4 Remote Networks" not be there?
      Or is it done through the client-connect/disconnect script? In that case the "NOTE:…." is somewhat confusing?

      Thanks.

      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
      Halton Arp

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        The "Remote Networks" field is only available in Peer-to-Peer server setup.

        If you want to do it with a remote access server, add a client specific override for that. There the field is also available.

        1 Reply Last reply Reply Quote 0
        • PippinP
          Pippin
          last edited by

          Ah I see, thanks, now that you say it ;D

          So that would mean the route in server gets set through client-connect script because when I apply setting, I see no route 192.168.5.0/24 added in server.
          I should try this live but cannot now so I looking at config files what pfS is doing…..

          Thanks again.

          I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
          Halton Arp

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Yes, that adds no static route. The route will be set when the client connection is established and will be deleted again when the connection is closed.

            1 Reply Last reply Reply Quote 0
            • PippinP
              Pippin
              last edited by

              Yes, that is clear to me now.

              I got confused by two things:
              1. In CSO "NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings."
              2. In Server "Inter-client communication"

              2 should not be ticked as one cannot control "who can see who" if ticked.

              I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
              Halton Arp

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.