How to fix "WARNING: You have specified redirect-gateway and redirect-private at the same time"

shoulders · Mar 20, 2023, 3:08 PM

I have configured an OpenVPN server (tun) with only IPv4 enabled and I have the Redirect IPv4 Gateway option enabled.

I then always get the following error on connection:

WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results

if i do not use the pfsense option Redirect IPv4 Gateway I do not get this error.
I have looked in the pfsense .OPVN file in /var/etc/openvpn/server1/ and cannot see any mention of redirect-private
I cannot see what options are pushed
I am using the OpenVPN GUI/Client v11.31.0.0 / 2.5.8 on Windows 10

What does this error mean and how can I stop it but still use redirect-gateway?

Thanks

viragomann · Mar 20, 2023, 4:55 PM

@shoulders
If you remove the check mark at "redirect gateway" are there any entries in "Local Networks"? If so remove them and re-check redirect gateway.

shoulders · Mar 20, 2023, 5:03 PM

@viragomann nothing present and still getting the error, but good try thanks

viragomann · Mar 20, 2023, 5:06 PM

@shoulders
I assume, you get this message on the client. Can you post the whole push message from the client log?

shoulders · Mar 20, 2023, 5:45 PM

@viragomann Awesome Solution :), thanks

This is a follow-up:

Earlier on I did remove 10.0.0.0/24 from the IPv4 Local Networks but I was still getting the error so I thought that did not fix it. I had in the Custom options the following command

push "redirect-gateway def1 block-local"

I removed this and now I am not getting the message so I cannot send you the log now because it is fixed, but it turns out your were right. So the 3 things that can cause this error

when Redirect IPv4 Gateway is enabled there is an entry in the hidden field IPv4 Local network(s)
you have enabled Redirect IPv6 Gateway but do not have IPv6 enabled
overriding the redirect-gateway in Custom Options

This is an old log:

Sat Mar 18 18:08:16 2023 OpenVPN 2.5.8 [git:none/0357ceb877687faa] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec  2 2022
Sat Mar 18 18:08:16 2023 Windows version 10.0 (Windows 10 or greater) 64bit
Sat Mar 18 18:08:16 2023 library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
Sat Mar 18 18:08:18 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]123.123.123.123:2727
Sat Mar 18 18:08:18 2023 UDPv4 link local: (not bound)
Sat Mar 18 18:08:18 2023 UDPv4 link remote: [AF_INET]123.123.123.123:2727
Sat Mar 18 18:08:18 2023 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Mar 18 18:08:19 2023 [pfSense Server Certificate] Peer Connection Initiated with [AF_INET]123.123.123.123:2727
Sat Mar 18 18:08:19 2023 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
Sat Mar 18 18:08:19 2023 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
Sat Mar 18 18:08:19 2023 open_tun
Sat Mar 18 18:08:19 2023 tap-windows6 device [OpenVPN TAP-Windows6] opened
Sat Mar 18 18:08:19 2023 Set TAP-Windows TUN subnet mode network/local/netmask = 10.217.1.0/10.217.1.2/255.255.255.0 [SUCCEEDED]
Sat Mar 18 18:08:19 2023 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.217.1.2/255.255.255.0 on interface {39A232AE-AE2D-4EFC-9BCD-7159D7CFE9B1} [DHCP-serv: 10.217.1.0, lease-time: 31536000]
Sat Mar 18 18:08:19 2023 Successful ARP Flush on interface [7] {39A232AE-AE2D-4EFC-9BCD-7159D7CFE9B1}
Sat Mar 18 18:08:19 2023 IPv4 MTU set to 1500 on interface 7 using service
Sat Mar 18 18:08:20 2023 Blocking outside dns using service succeeded.
Sat Mar 18 18:08:25 2023 WARNING: OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for OpenVPN TAP-Windows6, therefore the route installation may fail or may not work as expected.
Sat Mar 18 18:08:25 2023 add_route_ipv6(::/3 -> :: metric -1) dev OpenVPN TAP-Windows6
Sat Mar 18 18:08:25 2023 add_route_ipv6(2000::/4 -> :: metric -1) dev OpenVPN TAP-Windows6
Sat Mar 18 18:08:25 2023 add_route_ipv6(2727::/4 -> :: metric -1) dev OpenVPN TAP-Windows6
Sat Mar 18 18:08:25 2023 add_route_ipv6(fc00::/7 -> :: metric -1) dev OpenVPN TAP-Windows6
Sat Mar 18 18:08:25 2023 Initialization Sequence Completed
Sat Mar 18 18:08:25 2023 Register_dns request sent to the service