Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Client Specific Override not working

    OpenVPN
    2
    4
    627
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      Highly likely i am not doing something correctly.
      The main server configuration has the setting to have all client generated traffic forced through the tunnel.
      I have configured a CSO for a user to only get 3 internal subnets pushed to them. This works. When I do a route-print on the windows client I see the 3 networks pushed to them but when they access internet sites they are still getting pushed through the tunnel.
      How can I have it so that a specific client is set up for split tunnel and all others utilize full tunnel.

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @michmoor
        last edited by

        @michmoor said in Client Specific Override not working:

        When I do a route-print on the windows client I see the 3 networks pushed to them but when they access internet sites they are still getting pushed through the tunnel.

        I assume that this happens on different clients.
        If the clients route table shows it's local router as default gateway, I'd not expect that the traffic is routed to the VPN server.

        However, the client can set the routes on his computer on his own, regardless of what you push to him.
        That means, the pushed routes are no security settings at all.

        If you want to allow only access to specific devices configure the firewall rules on pfSense accordingly using the tunnel pool you assigned to the client in the CSO.

        M 1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @viragomann
          last edited by

          @viragomann hmm ok. so short of assigning the client an IP address to control where they can and cannot go which is fine still doesn't address how I can prevent this client from being full-tunnel when I don't want them to be.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @michmoor
            last edited by

            @michmoor
            Yes, exactly.
            But you can control his access by firewall rule anyway.
            If you allow the client only to access certain machines on your network and block the rest, the client will fail access the internet if he overrides the pushed routes.
            Hence I think, he will change his routing again.

            It is a known issue of some Linux NetworkManager versions to ignore pushed routes.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.