Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Static route via VPN interface binds to lo0 when created from web page, but binds to tun1 when created from command line.

    Scheduled Pinned Locked Moved Routing and Multi WAN
    9 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      winmasta
      last edited by winmasta

      I have an OpenVPN client on pfSense server up and running. I have assigned a custom interface OPT1 and have created a gateway via that interface. When I am trying to create static route using pfSense web interface via this gateway I am getting a route binded to wrong IP address and wrong interface lo0 and of course it doesn't work.
      0_1530322870388_56a20cfb-a017-4398-8315-f9af7910cf23-изображение.png
      but then I remove this static route from web interface and create right route but via command line

      sudo route add -net 8.8.8.8/32 10.10.0.1
      

      it works fine
      0_1530323183720_ba9d083c-7b8c-4805-b2c6-af94f67f8e5b-изображение.png
      What I am doing wrong ?

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by

        Don't add static routes for OpenVPN connections on the routing page, use OpenVPN's own push route method to tell the client to add a route when the connection is initialized. Put this in the Advanced Configuration/Custom options box of your OpenVPN server.

        push "route 8.8.8.8 255.255.255.255"
        

        If the server is not under your control you can add the custom option to the OpenVPN client configuration on your pfSense, in that case you'd use just (again Advanced Configuration/Custom options):

        route 8.8.8.8 255.255.255.255
        
        W 1 Reply Last reply Reply Quote 0
        • W
          winmasta @kpa
          last edited by

          @kpa thanks for replying
          When I add

          route 8.8.8.8 255.255.255.255
          

          on client Custom config there is nothing happens at all.
          When I add

          push "route 8.8.8.8 255.255.255.255"
          

          to server config there is an error in client log

          Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS]) 
          
          1 Reply Last reply Reply Quote 0
          • K
            kpa
            last edited by

            You need to disconnect/reconnect on the client for the options to take effect. After doing so take a look at the routing table to verify that the route is there.

            The error on the server side suggests that this is a peer-to-peer setup with a static key, is that right? If so the push options can't be used, you'll have to use route statements in custom options on both sides.

            W 1 Reply Last reply Reply Quote 0
            • W
              winmasta @kpa
              last edited by

              @kpa Of course I made reconnect every time when config on server or client was changed.
              Yes it's peer to peer setup with static key.
              I have added same string

              route 8.8.8.8 255.255.255.255
              

              to server.conf and client Custom options - no effect.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Do you have 8.8.8.8 defined anywhere else such as in System > General?

                What routes exist for 8.8.8.8 in Diagnostics > Routes?

                Are there any ifconfig errors logged in the OpenVPN logs?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                W 1 Reply Last reply Reply Quote 0
                • K
                  kpa
                  last edited by

                  It would help if you posted the connection log from the client here.

                  W 1 Reply Last reply Reply Quote 0
                  • W
                    winmasta @Derelict
                    last edited by

                    @derelict Generally I am trying to add route to different (not 8.8.8.8) IP address and it is NOT defined in System>General for sure and there is no routes for it for sure. There is no errors in both server and client logs.

                    1 Reply Last reply Reply Quote 0
                    • W
                      winmasta @kpa
                      last edited by winmasta

                      @kpa Here is parts of my configs:
                      Client
                      0_1530578086947_5d158d98-e6c7-4eb1-ae50-31fef1ec71e6-изображение.png
                      Server ccd
                      0_1530578176972_e3ed8f4c-afaf-4e63-808a-c1c90d55680d-изображение.png
                      Server server.conf
                      0_1530578210375_a56d5260-f8e8-45d2-9835-f8f3b837f919-изображение.png
                      Server log before client connected
                      0_1530578288578_ced1dbe8-b9e6-48de-ac6f-f855f726f04c-изображение.png
                      Server log after client connected
                      0_1530578689401_c9afca24-742f-47a6-a23e-ca8501004b07-изображение.png
                      Client log

                      Jul 3 07:45:33 	openvpn 	60153 	Initialization Sequence Completed
                      Jul 3 07:45:33 	openvpn 	60153 	/usr/local/sbin/ovpn-linkup ovpnc2 1500 1570 10.10.0.2 255.255.255.0 init
                      Jul 3 07:45:33 	openvpn 	60153 	/sbin/route add -net 10.10.0.0 10.10.0.1 255.255.255.0
                      Jul 3 07:45:33 	openvpn 	60153 	/sbin/ifconfig ovpnc2 10.10.0.2 10.10.0.1 mtu 1500 netmask 255.255.255.0 up
                      Jul 3 07:45:33 	openvpn 	60153 	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
                      Jul 3 07:45:33 	openvpn 	60153 	TUN/TAP device /dev/tun2 opened
                      Jul 3 07:45:33 	openvpn 	60153 	TUN/TAP device ovpnc2 exists previously, keep at program end
                      Jul 3 07:45:33 	openvpn 	60153 	ROUTE_GATEWAY CLIENT_EX_IP/255.255.255.192 IFACE=em0 HWADDR=00:0c:29:6c:7e:79
                      Jul 3 07:45:33 	openvpn 	60153 	Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
                      Jul 3 07:45:33 	openvpn 	60153 	Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
                      Jul 3 07:45:33 	openvpn 	60153 	Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
                      Jul 3 07:45:33 	openvpn 	60153 	Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
                      Jul 3 07:45:33 	openvpn 	60153 	OPTIONS IMPORT: route-related options modified
                      Jul 3 07:45:33 	openvpn 	60153 	OPTIONS IMPORT: --ifconfig/up options modified
                      Jul 3 07:45:33 	openvpn 	60153 	OPTIONS IMPORT: timers and/or timeouts modified
                      Jul 3 07:45:33 	openvpn 	60153 	PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.10.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.10.0.2 255.255.255.0'
                      Jul 3 07:45:33 	openvpn 	60153 	SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
                      Jul 3 07:45:32 	openvpn 	60153 	[server] Peer Connection Initiated with [AF_INET]VPN_SERVER_EXT_IP:PORT
                      Jul 3 07:45:32 	openvpn 	60153 	Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
                      Jul 3 07:45:32 	openvpn 	60153 	VERIFY OK: depth=0, C=RU, ST=TO, L=Tomsk, O=Kireva, OU=IT_dept, CN=server, name=oneandoneserver, emailAddress=winmasta@kireva.com
                      Jul 3 07:45:32 	openvpn 	60153 	VERIFY EKU OK
                      Jul 3 07:45:32 	openvpn 	60153 	++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
                      Jul 3 07:45:32 	openvpn 	60153 	Validating certificate extended key usage
                      Jul 3 07:45:32 	openvpn 	60153 	VERIFY KU OK
                      Jul 3 07:45:32 	openvpn 	60153 	VERIFY OK: depth=1, C=RU, ST=TO, L=Tomsk, O=Kireva, OU=IT_dept, CN=Kireva CA, name=oneandoneserver, emailAddress=winmasta@kireva.com
                      Jul 3 07:45:31 	openvpn 	60153 	TLS: Initial packet from [AF_INET]VPN_SERVER_EXT_IP:PORT, sid=446f96a7 9c4b7ab0
                      Jul 3 07:45:31 	openvpn 	60153 	UDPv4 link remote: [AF_INET]VPN_SERVER_EXT_IP:PORT
                      Jul 3 07:45:31 	openvpn 	60153 	UDPv4 link local (bound): [AF_INET]CLIENT_EXT_IP:0
                      Jul 3 07:45:31 	openvpn 	60153 	Socket Buffers: R=[42080->42080] S=[57344->57344]
                      Jul 3 07:45:31 	openvpn 	60153 	TCP/UDP: Preserving recently used remote address: [AF_INET]VPN_SERVER_EXT_IP:PORT
                      Jul 3 07:45:31 	openvpn 	60153 	Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
                      Jul 3 07:45:31 	openvpn 	60153 	Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
                      Jul 3 07:45:31 	openvpn 	60153 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                      Jul 3 07:45:31 	openvpn 	60153 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2.sock
                      Jul 3 07:45:31 	openvpn 	60082 	library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
                      Jul 3 07:45:31 	openvpn 	60082 	OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 8 2017
                      Jul 3 07:45:31 	openvpn 	60825 	SIGTERM[hard,] received, process exiting
                      Jul 3 07:45:31 	openvpn 	60825 	/usr/local/sbin/ovpn-linkdown ovpnc2 1500 1570 10.10.0.2 255.255.255.0 init
                      Jul 3 07:45:31 	openvpn 	60825 	Closing TUN/TAP interface
                      Jul 3 07:45:31 	openvpn 	60825 	event_wait : Interrupted system call (code=4)
                      Jul 3 07:45:29 	openvpn 	60825 	MANAGEMENT: Client disconnected
                      Jul 3 07:45:29 	openvpn 	60825 	MANAGEMENT: CMD 'status 2'
                      Jul 3 07:45:29 	openvpn 	60825 	MANAGEMENT: CMD 'state 1'
                      Jul 3 07:45:29 	openvpn 	7621 	MANAGEMENT: Client disconnected
                      Jul 3 07:45:29 	openvpn 	60825 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
                      Jul 3 07:45:29 	openvpn 	7621 	MANAGEMENT: CMD 'status 2'
                      Jul 3 07:45:29 	openvpn 	7621 	MANAGEMENT: CMD 'state 1'
                      Jul 3 07:45:29 	openvpn 	7621 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock 
                      111
                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.