Bug for route in Custom options ?

  • OpenVPN server, when add a route to the Custom options a route gets set in routing table.

    Custom options:
    route ""  (this is /24)
    *Edit: Route is correctly written in server config file.

    Route according to Diagnostics/ Routes: UGS 0 1500 ovpns1

    Why /32 ?
    Also why GW is ?

    Other route is: UGS 0 1500 ovpns1 (tunnel net)

    Related to https://forum.pfsense.org/index.php?topic=115511.msg641139#msg641139 ? ? ?

  • When not using "" then the route gets set correctly.

    Only don`t understand why GW is instead of

    ? ? ?

  • Rebel Alliance Developer Netgate

    No bug there.

    You don't use quotes with a route statement. You might be thinking of a push route but then the "route" part is also inside the quotes, as the whole route statement is an argument to push, the parameters to route are not quoted as a whole.

    You don't even need to use route statements, use the "Remote Networks" controls for that and let the GUI sort it out.

    The gateway is determined by OpenVPN internally, and depending on your setup it may be an address that isn't really "there" but it's set so that the OS will put the traffic on the interface, nothing more. OpenVPN handles the rest.

  • @jimp:

    No bug there.

    Thanks jimp.

    You don't even need to use route statements, use the "Remote Networks" controls for that and let the GUI sort it out.

    I should have mention using Remote Access, this field is not present.

    Im using CSO/iroute, where should I best put the route on server pointing to the clients LAN? Its not happening automagically.
    In server Custom options or set a Static route?
    Static route…I not so sure that is "a clean way"?

  • Rebel Alliance Developer Netgate

    Don't use Remote Access for site to site. Use Peer-to-Peer SSL/TLS.

  • I not sure that can meet requirements, never used PtP.

    I have a few road warriors and 1 NAS 24/7 connected.
    The LAN behind NAS should be available to LAN behind pfS.
    Both sides NAT`ed.
    1 PC should be able to use NAS as exit point, not 24/7 but with a "switch", vpn-on.cmd and vpn-off.cmd

    I thought I will only route LAN behind NAS to LAN behind pfS and also do policy route.

    Don`t tell me I need to start all over :)

    But in this case PtP would be better?

  • Rebel Alliance Developer Netgate

    Don't use the same OpenVPN server for remote access clients and site-to-site

    Put the NAS on a separate VPN. It doesn't need to be radically different, at least a different tunnel network and port number, it can share the same cert structure.

    Ideally the site-to-site VPN would have its own CA/Cert/TLS Key/etc, but it's not a hard requirement.

  • And then route between RA and PtP…..
    Ok, that would save some work I think.

    Thanks :)

  • Oh man, NAS does not support PtP out of the box.
    Too many Synology scripts to modify and modifications get lost after updates/reboots.

    Will rethink this first, thanks…

  • Rebel Alliance Developer Netgate

    To the client there is zero difference between "Remote Access (SSL/TLS)" and "Peer to Peer (SSL/TLS)" modes.

    The difference is in how the pfSense GUI handles the available options and such. If the client can connect to an RA SSL/TLS VPN, it can connect to a PTP SSL/TLS one.

  • Ok, I didnt give up…. yet :) I read that Synology NAS cant do site to site but I guess that goes for being server.

    I changed port number on NAS config to connect to correct server, so from existing RA to PtP.
    Using existing config file exported from pfS with inline cert/key/tls
    Authentication failing.
    PtP server generated new tls key, I hit my head, I should know...

    Copy key over but then the server log spits:
    " TLS Auth Error: --client-config-dir authentication failed for common name 'NAS' file='/var/etc/openvpn-csc/server2/NAS' "

    " '/var/etc/openvpn-csc/server2/NAS' " here my mistake.

    So now I know this way it`s not working :) Have to export NAS and not use the existing one.

    Me trying to take shortcuts but eventually it takes longer :)

Log in to reply