Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bug for route in Custom options ?

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • PippinP
      Pippin
      last edited by

      OpenVPN server, when add a route to the Custom options a route gets set in routing table.

      Custom options:
      route "192.168.5.0 255.255.255.0"  (this is /24)
      *Edit: Route is correctly written in server config file.

      Route according to Diagnostics/ Routes:
      192.168.5.0/32 192.168.168.2 UGS 0 1500 ovpns1

      Why /32 ?
      Also why GW is 192.168.168.2 ?

      Other route is:
      192.168.168.0/24 192.168.168.1 UGS 0 1500 ovpns1 (tunnel net)

      Related to https://forum.pfsense.org/index.php?topic=115511.msg641139#msg641139 ? ? ?

      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
      Halton Arp

      1 Reply Last reply Reply Quote 0
      • PippinP
        Pippin
        last edited by

        When not using "" then the route gets set correctly.

        Only don`t understand why GW is 192.168.168.2 instead of 192.168.168.1

        ? ? ?

        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
        Halton Arp

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          No bug there.

          You don't use quotes with a route statement. You might be thinking of a push route but then the "route" part is also inside the quotes, as the whole route statement is an argument to push, the parameters to route are not quoted as a whole.

          You don't even need to use route statements, use the "Remote Networks" controls for that and let the GUI sort it out.

          The gateway is determined by OpenVPN internally, and depending on your setup it may be an address that isn't really "there" but it's set so that the OS will put the traffic on the interface, nothing more. OpenVPN handles the rest.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • PippinP
            Pippin
            last edited by

            @jimp:

            No bug there.

            Thanks jimp.

            You don't even need to use route statements, use the "Remote Networks" controls for that and let the GUI sort it out.

            I should have mention using Remote Access, this field is not present.

            Im using CSO/iroute, where should I best put the route on server pointing to the clients LAN? Its not happening automagically.
            In server Custom options or set a Static route?
            Static route…I not so sure that is "a clean way"?

            I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
            Halton Arp

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Don't use Remote Access for site to site. Use Peer-to-Peer SSL/TLS.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • PippinP
                Pippin
                last edited by

                I not sure that can meet requirements, never used PtP.

                I have a few road warriors and 1 NAS 24/7 connected.
                The LAN behind NAS should be available to LAN behind pfS.
                Both sides NAT`ed.
                1 PC should be able to use NAS as exit point, not 24/7 but with a "switch", vpn-on.cmd and vpn-off.cmd

                I thought I will only route LAN behind NAS to LAN behind pfS and also do policy route.

                Don`t tell me I need to start all over :)

                But in this case PtP would be better?

                I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                Halton Arp

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Don't use the same OpenVPN server for remote access clients and site-to-site

                  Put the NAS on a separate VPN. It doesn't need to be radically different, at least a different tunnel network and port number, it can share the same cert structure.

                  Ideally the site-to-site VPN would have its own CA/Cert/TLS Key/etc, but it's not a hard requirement.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • PippinP
                    Pippin
                    last edited by

                    And then route between RA and PtP…..
                    Ok, that would save some work I think.

                    Thanks :)

                    I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                    Halton Arp

                    1 Reply Last reply Reply Quote 0
                    • PippinP
                      Pippin
                      last edited by

                      Oh man, NAS does not support PtP out of the box.
                      Too many Synology scripts to modify and modifications get lost after updates/reboots.

                      Will rethink this first, thanks…

                      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                      Halton Arp

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        To the client there is zero difference between "Remote Access (SSL/TLS)" and "Peer to Peer (SSL/TLS)" modes.

                        The difference is in how the pfSense GUI handles the available options and such. If the client can connect to an RA SSL/TLS VPN, it can connect to a PTP SSL/TLS one.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • PippinP
                          Pippin
                          last edited by

                          Ok, I didnt give up…. yet :) I read that Synology NAS cant do site to site but I guess that goes for being server.

                          I changed port number on NAS config to connect to correct server, so from existing RA to PtP.
                          Using existing config file exported from pfS with inline cert/key/tls
                          Authentication failing.
                          PtP server generated new tls key, I hit my head, I should know...

                          Copy key over but then the server log spits:
                          " TLS Auth Error: --client-config-dir authentication failed for common name 'NAS' file='/var/etc/openvpn-csc/server2/NAS' "

                          " '/var/etc/openvpn-csc/server2/NAS' " here my mistake.

                          So now I know this way it`s not working :) Have to export NAS and not use the existing one.

                          Me trying to take shortcuts but eventually it takes longer :)

                          I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                          Halton Arp

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.