OpenVPN split / full tunnel with Client Specific Overrides
-
I have working OpenVPN split tunnel on pfSense 2.8.1 configured on server instance with Radius TOTP as auth backend, device mode tun, IPv4 tunnel network 10.250.0.0/24 and topology subnet. Tunnel network has limited access to LAN net as defined with firewall rule for that network, clients use their own local network for Internet access, everything works.
I tried to add full tunnel users (entire traffic including Internet trough pfSense) using Client Specific Overrides with no success. IPv4 Tunnel Network for those users is 10.250.1.0/24
I also experimented with other tunnel networks, Reset Server Options active / keep all server options, tried with several advanced options like ifconfig-push 10.250.1.2 255.255.255.252, push "topology subnet" etc ... just can't get it to work. Clients connect but they can't access anything.
Are there any tutorials how to configure full tunnel with Client Specific Overrides?
What am I doing wrong?Thanks.
-
@ivica.glavocic said in OpenVPN split / full tunnel with Client Specific Overrides:
I tried to add full tunnel users (entire traffic including Internet trough pfSense)
Appropriate NAT rules may be necessary on (at least) the WAN interface.
What route/s are being 'pushed' to the tunnel-all OVPN clients and how? Can you screencap a Client Specific Override example?
-
@tinfoilmatt said in OpenVPN split / full tunnel with Client Specific Overrides:
Appropriate NAT rules may be necessary on (at least) the WAN interface.
What route/s are being 'pushed' to the tunnel-all OVPN clients and how? Can you screencap a Client Specific Override example?In Client Specific Override, option "Redirect IPv4 Gateway" (Force all client generated IPv4 traffic through the tunnel) is active, that pushes 0.0.0.0/0 to client.
I think I found a problem - if "Reset all options" is selected (in my CSO it is), client defaults to net30 topology, so I added push "topology subnet" and now it works.
Split / Full tunnel architecture is common today in any firewall, I think this scenario should be added to official documentation.
-
@ivica.glavocic I agree it's remarkable that the
Reset Server Optionssetting has no specific guidance in the Client Specific Overrides documentation, despite the general information offered in the second paragraph and in the "Tip" which immediately follows. On the other hand, "reset all options" is fairly plain English (and also not the default setting).Good catch no matter!
-
@tinfoilmatt said in OpenVPN split / full tunnel with Client Specific Overrides:
@ivica.glavocic I agree it's remarkable that the
Reset Server Optionssetting has no specific guidance in the Client Specific Overrides documentation, despite the general information offered in the second paragraph and in the "Tip" which immediately follows. On the other hand, "reset all options" is fairly plain English (and also not the default setting).
Good catch no matter!I agree that "Reset all options" is self explanatory, but in nowhere in server configuration is written that net30 is the default option, that was misleading for me.
I have a working solution for split and full tunnel scenario with 2FA using Radius on pfSense and OpenVPN Connect on client, it still needs testing on other OSes (Linux, Mac, Android, IOS), if it works on all of them, I could explain it in detail to help others, what would be a good place to document it?
-
@ivica.glavocic said in OpenVPN split / full tunnel with Client Specific Overrides:
net30 is the default option, that was misleading for me.
Agreed there.
@ivica.glavocic said in OpenVPN split / full tunnel with Client Specific Overrides:
what would be a good place to document it?
If you post it to the subforum we're in here, I'd be personally interested in giving it a read myself.
