Can't add static routes for remote OpenVPN networks (site-to-site).



  • Hello,

    I have an OpenVPN server config on my 2.0-BETA4 pfSense box (i386). My client is a 1.2.3 pfSense machine as well, running a standard OpenVPN client site-to-site PKI config to connect to my 2.0 BETA4 OpenVPN Server.

    I can get things connected fine, but I need to be able to define static routes for the remote networks on the other side of the client. For example:

    The OpenVPN client's LAN network is 172.16.20.0/24, and I have a DMZ (among others) starting at 172.16.21.0/24. In my OpenVPN log on the server, I can see the tunnel come up fine (I'm using 10.254.0.8/29 for the tunnel network, which means 10.254.0.9 is my 2.0 OpenVPN Server, and 10.254.0.10 is the 1.2.2 OpenVPN client IP) as a route is added for the LAN on the OpenVPN client side (172.16.20.0/24 -> 10.254.0.10).

    However, when I got to System -> Routing -> '+' for New Gateway, I can't add another gateway for 10.254.0.10. When I choose the LAN interface for the gateway, it complains that 10.254.0.10 is not on that interfaces subnet (which makes sense, but I need to be able to choose an OpenVPN interface).

    I've worked around it by just adding the routes by hand, but I was thinking there's got to be a better way. Does anybody have any ideas?


  • Rebel Alliance Developer Netgate

    OpenVPN does this for you, just add more route statements in the custom options:

    route 172.16.21.0 255.255.255.0;

    And so on.


  • Rebel Alliance Developer Netgate

    Also, on recent snapshots, OpenVPN clients get added as dynamic gateways. Based on this and another post you made, it sounds like you're on quite an old snapshot.



  • @jimp:

    OpenVPN does this for you, just add more route statements in the custom options:

    route 172.16.21.0 255.255.255.0;

    And so on.

    Interesting, so in my current server-side options, I have the following:

    
    push "route 172.16.45.0 255.255.255.0";
    push "route 172.16.46.0 255.255.255.0";
    push "route 10.200.200.0 255.255.255.0";
    
    

    This is to push routes from the OpenVPN server network to the client network, so the client machines can all get to the machines behind other interfaces on the OpenVPN server networks.

    You're saying I should add the following to the server-side as well, which will add routes once the tunnel comes up for redirecting traffic to the client for the other networks? I'm currently running this in peer-to-peer mode (SSL/TLS) with PKI, though no TLS authentication.

    
    route 172.16.21.0 255.255.255.0;
    route 172.16.22.0 255.255.255.0;
    push "route 172.16.45.0 255.255.255.0";
    push "route 172.16.46.0 255.255.255.0";
    push "route 10.200.200.0 255.255.255.0";
    
    

  • Rebel Alliance Developer Netgate

    Ah, I missed the PKI bit earlier. If you want to get back to the client networks you also need iroutes in the CSC tab for each site's certificate. I think someone has a howto here on the forum, should be easy to find if you search for iroute.



  • Ahh, yes indeed. Doing iroutes for client-specific overrides on the server side, as well as adding "route 172.16.21.0 255.255.255.0" to the server side options has fixed it. Thanks for the pointers jimp :-).


Locked