2.4 route to multiple 'local networks' with User Auth



  • Hey friends!

    ;tldr - user auth + multiple 'local networks'….how?  (see two questions below)

    A few weeks ago, I had utopia and, of course, I didn't back it up :)
    I had upgraded all my working 2.3.x installs to 2.4 and then had a power outage on my 'main' router, an SG-4860, and lost the board. It was RMA'ed (with much appreciation to Netgate for the awesome service), and I'm almost back in business. I restored from an older backup from a VT-based device and got most of my functionality back.

    My topology is:
      [PFsense C (10.75.1.0/24) ] <–-IPsec---> [PFsense A (10.15.1.0/24)] <–OpenVPN--> [PFsense B (10.50.1.0/24)]
    B and C are also connected to one another via OpenVPN (but I can't figure out how to draw that in ascii ;)  )

    A, B, and C, all have Road Warrior servers too, all using LDAP-based user authentication.

    I share this background only because it seems important to know the following:
    In 2.3 in Road Warrior, there was a field for local network(s). On PFsense A, I had the following listed as local networks:
    10.15.1.0/24 (the actual LAN of that pfSense box)
    10.50.1.0/24 (lan of pfSense B)
    10.75.1.0/24 (lan of pfSense C)

    (and I also included all the tunnel networks from the various Road Warrior tunnels so clients could reach each other regardless of endpoint).

    Now, in 2.4, it seems the only way to add local networks is in client specific overrides.

    So I have two questions (I think)

    1. with User Auth do I have to create an override for every single user? That seems really complex. I tried just the certificate common name, but it doesn't work. My client (OpenVPN on iOS) only picks up client specific override settings if the user name is a match

    2. Is there a more preferred way to set these local networks? Should I go back to pushing routes in the custom config?


  • Rebel Alliance Developer Netgate

    The local networks option is still there in 2.4. No need to do it with overrides.

    The only time the local networks option is hidden with that kind of setup is if you have set the option to redirect all traffic over the tunnel ("Force all client-generated  traffic through the tunnel.") and in that case, local networks are redundant because all of the user's traffic is already going over the tunnel so sending a specific route for your other subnets is unnecessary.


Log in to reply