OpenVPN no Gateway assigned to client
-
I've seen this pop up a few times but can't seem to find out what's going on. I have OpenVPN set up for end users to connect in. It connects, an IP is issued, the DNS server is issued, but no Gateway is issued. The logs show the user is connected and authenticated. I thought it would either automatically assign the Gateway or give me a spot to put it in. Neither is the case. What am I missing?
Thanks in advance!
-
OpenVPN does not assign a gateway.
It installs two routes: 0.0.0.0/1 and 128.0.0.0/1
These cover the entire IPv4 internet, are more specific than 0.0.0.0/0 so they are preferred, and relieves OpenVPN of the duty to save and put back the existing default gateway when it closes.
This is governed by the Redirect IPv4 Gateway checkbox in the server configuration.
The client can also choose to ignore the gateway routes pushed by the server. In the pfSense client configuration, that is the Don't pull routes checkbox.
-
OpenVPN does not assign a gateway.
It installs two routes: 0.0.0.0/1 and 128.0.0.0/1
These cover the entire IPv4 internet, are more specific than 0.0.0.0/0 so they are preferred, and relieves OpenVPN of the duty to save and put back the existing default gateway when it closes.
This is governed by the Redirect IPv4 Gateway checkbox in the server configuration.
The client can also choose to ignore the gateway routes pushed by the server. In the pfSense client configuration, that is the Don't pull routes checkbox.
I didn't realize that. I didn't even bother to work on firewall rules since I was trying to troubleshoot the Gateway issue. I added the rule in Firewall - Rules - OpenVPN to allow the IP range and now it's connecting out. Thanks!
-
Right. The OpenVPN rules also need to pass traffic to any (after blocking access to anything it needs to block) in order for the clients to be able to use the global internet across the tunnel.
-
Right. The OpenVPN rules also need to pass traffic to any (after blocking access to anything it needs to block) in order for the clients to be able to use the global internet across the tunnel.
Thanks a bunch. One other question about passing DNS, though. I have the DNS server passed through so the laptop is pointing to the Domain Controller for DNS across the VPN. It properly queries for resolution for external addresses, but not internal machines. For example, the server name is ServerDC. If I run "nslookup ServerDC 192.168.100.10" I get UnKnown can't find ServerDC: Server failed"
If I run "nslookup yahoo.com 192.168.100.10" it resolves properly.
Both work from PCs inside the network so I'm thinking it's a VPN thing. Any ideas? -
You need to set the search domain properly on the client if you expect it to append the domain name in a lookup. Try resolving the FQDN. If that works it's a search domain problem.
-
You need to set the search domain properly on the client if you expect it to append the domain name in a lookup. Try resolving the FQDN. If that works it's a search domain problem.
Precisely correct. I thought I had tried that but I went back through and looked at my previous pings and found I had misspelled it. This is primarily for VPN protected RDP access so I can just use the FQDN of the server and it pops them in just fine. Thanks again for your help! You learn something new every day!
