VPN setup with Wizard trying to push incorrect route



  • Problem Summary:
    OpenVPN attempting to push the LAN route 192.168.1.1/24, when it should be trying to push 192.168.1.0/24.  Linux client complains.  Route isn't added correctly.

    Details:
    I used the Wizard to set up an OpenVPN server on pfSense, with SSL/TLS and Local Auth, and it's working well.  I'm able to connect from external, route traffic through the VPN, and get to the outside world.

    The issue is with the LAN route that the VPN attempts to push to the remote client.  My LAN is set up as a 192.168.1.0/24 LAN, with the pfSense IP as 192.168.1.1.  The VPN pool is 10.0.0.0/24.  However, the routes that the Wizard configured in the server.conf are:


    server 10.0.0.0 255.255.255.0
    ...
    push "route 192.168.1.1 255.255.255.0"
    ...

    Here's what my client (Linux, OpenVPN, 2.3.2) says:

    TUN/TAP device tun0 opened
    TUN/TAP TX queue length set to 100
    do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    /sbin/ip link set dev tun0 up mtu 1500
    /sbin/ip addr add dev tun0 10.0.0.2/24 broadcast 10.0.0.255
    /sbin/ip route add X.X.X.X/32 via 192.168.1.1
    /sbin/ip route add 0.0.0.0/1 via 10.0.0.1
    /sbin/ip route add 128.0.0.0/1 via 10.0.0.1
    /sbin/ip route add 192.168.1.1/24 via 10.0.0.1
    RTNETLINK answers: Invalid argument
    ERROR: Linux route add command failed: external program exited with error status: 2
    Initialization Sequence Completed

    You can see the problem: 192.168.1.1/24 isn't a valid route, 192.168.1.0/24 is.

    Where does the OpenVPN configuration get this route info from, and how can I fix it to use the correct route?



  • Very strange. There is no need to push the LAN route anyway, since you route the whole traffic over the VPN.

    If you haven't added the push command manually in the advanced options it must be set by "IPv4 Local Networks", which is hidden when "Redirect Gateway" is checked.
    So try to edit the server settings, uncheck "Redirect Gateway", delete the entry in "IPv4 Local Networks" and check "Redirect Gateway" again and save the settings. Maybe this helps.



  • Ahah, good catch.  This was exactly it: I had set an incorrect subnet myself, then checked "redirect gateway" afterwards.  Seems to have fixed that issue.

    I have an additional routing issue, and if I should start another question, I will.  But I figure I'll try asking here first.

    My local network from which I'm connecting shares the same subnet as the remote LAN.  But I have all traffic set to route through the VPN (the 0.0.0.0/1 route).  The routes are all as follows:

    0.0.0.0/1 via 10.0.0.1 dev tun0
    default via 192.168.1.1 dev wlan0 proto static
    X.X.X.X via 192.168.1.1 dev wlan0
    128.0.0.1/1 via 10.0.0.1 dev tun0
    192.168.1.0/24 dev wlan0

    This should route all traffic through the gateway 10.0.0.1, correct?

    But, when I ping/connect to a random computer on both networks, say 192.168.1.3, it connects to the local one, not the remote one.

    What's wrong with the routing table that this is happening?



  • Routes cannot override local network settings. You will have to change one of the subnets.
    Networks like 192.168.1.1/24 are very often used as default on routers. It's advisable to change that settings and avoid to use one of the defaults.



  • Thanks for the reply. After thinking about it, I too realized that this probably won't work. Oh well.  Much appreciated!


Log in to reply