CSO routes are not being applied
-
I posted this question a few hours ago on /r/pfsense but without an answer there, I decided to give the forums here a shot.
The tl;dr is that I have two pfSense installations connected via OpenVPN, with a remote network defined in a CSO on the server. That CSO is being read and parsed properly, and the correct route is showing up on the OpenVPN Status page in the web GUI under "Routing Table", however, the route is not actually being applied on the server and traceroutes to that network go out the default gateway/upstream. Netstat -nr on the server doesn't show it, and traffic to the specified LAN is not being routed. The route command (route add 192.168.128.0 255.255.255.0 192.168.120.66) works fine if I issue it manually via SSH after the tunnel is brought up.
The server is 2.4.4-RELEASE-p3 and running in Remote Access (SSL/TLS + User Auth) mode, the client is 2.4.5-RELEASE in Peer to Peer (SSL/TLS) mode with user authentication enabled and the shared TLS key in place. The connection and authentication works just fine.
Screenshot showing the CSO is being properly read and parsed is here: The public IPs and the CN are redacted in the image, but they are correct and match.
Any thoughts on why the route isn't actually being added would be helpful.
-
Well, it appears to be that the pfSense GUI is simply hiding the IPv4 Remote Networks option that I need to set on the main page, since I've selected a "Remote Access" mode. This is somewhat disappointing since that isn't even an OpenVPN "thing", just a pfSense "thing" to determine what GUI options to show and what options to hide.
Guess I'm off to file a bug report / feature request to ask that we get a 5th "type" option for OpenVPN servers called "I know what I'm doing, don't hide any options from me."
In the meantime for anyone running into this, I think the only way to address it without having to create a separate server on another port so you can get run it as "peer to peer" is to assign an interface to the OpenVPN instance which you can then use to assign a gateway and a static route in the main pfSense routing configuration.
Ugh.