Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN TLS routing issue, shared key working fine

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann @gandalf33
      last edited by

      @gandalf33
      If this is a site-to-site VPN with a single client only use a /30 tunnel network. Otherwise you need to configure a CSO on the server.

      G 1 Reply Last reply Reply Quote 0
      • G
        gandalf33 @viragomann
        last edited by

        @viragomann
        Isn't a /30 incompatible with DCO ? I plan to enable DCO once it works.

        Any links to CSO documentation ? (Not sure what this is)

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @gandalf33
          last edited by

          @gandalf33
          Don't know. I don't use it yet.

          https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/dco.html

          G 1 Reply Last reply Reply Quote 0
          • G
            gandalf33 @viragomann
            last edited by gandalf33

            @viragomann

            Yeah quoting limitations:
            Using a /30 or smaller tunnel network for peer-to-peer tunnels (one server with one client) is not compatible with DCO. There are problems with the code for this mode in OpenVPN which can lead to failed connections and instability.

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @gandalf33
              last edited by

              @gandalf33
              So you have to go with CSO.

              G 1 Reply Last reply Reply Quote 0
              • G
                gandalf33 @viragomann
                last edited by gandalf33

                @viragomann

                Any links on how to go about that ? What option in particular

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @gandalf33
                  last edited by

                  @gandalf33
                  Seems to work a bit different with DCO. From the pfSense book:

                  DCO and Routing
                  DCO does not currently honor internal routes from client-specific overrides (i.e. iroute) for multiple site-to-site
                  clients on a single server, but it does honor kernel route destinations that would normally be ignored by non-DCO
                  OpenVPN.
                  Assign clients static addresses in overrides (after patching #13274) and then setup custom routes in OpenVPN custom
                  options with complete destinations defined or even setup FRR and exchange routes via BGP.

                  So you might not need a CSO for a single client, but adding routes.

                  G 1 Reply Last reply Reply Quote 0
                  • G
                    gandalf33 @viragomann
                    last edited by

                    @viragomann

                    Any guidance on how to do that ? I'm stick stuck at the very same point :(

                    G 1 Reply Last reply Reply Quote 0
                    • G
                      gandalf33 @gandalf33
                      last edited by

                      Whatever I do, I seem stuck at the very same point (DCO or not, /30 or not)

                      Server
                      Lan: 192.168.1.0/24
                      Ovpn subnet: 10.8.11.0/24

                      Client
                      Lan: 192.168.0.0/24

                      Did make this CSO
                      ifconfig-push 10.8.11.2 255.255.255.0;
                      push "route 192.168.1.0 255.255.255.0 10.8.11.1";
                      iroute 192.168.0.0 255.255.255.0;

                      Same ping from client gateway only works if left to default source ip, if set to LAN it fails. No trace of block in firewall logs

                      Anybody with a idea on what else I could try?

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @gandalf33
                        last edited by

                        @gandalf33 said in OpenVPN TLS routing issue, shared key working fine:

                        iroute 192.168.0.0 255.255.255.0;

                        iroute does not work with DCO according to the docs.
                        So instead of this line try

                        route 192.168.0.0 255.255.255.0 10.8.11.2;
                        
                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.