Static Routes Disappear from routing table

awesomo

I have and OpenVPN Tap link going between my HQ and site 1. When the ovpn link goes down, or is not up in time after a router restart (which is every time), my static routes disappear from (or never enter) the routing table, on both routers. It does not matter if gateway monitoring is enabled or disabled for the specific gateway. When the OpenVPN link is re-established, the routes do not appear again. The only way I can get them to come back is going into routes, editing one of them, and clicking apply (I have to do this on both routers). All of the static routes come back (as shown under diagnostics>>>routes) and everything starts working.

How can I get my static routes to stay? That's what they are, static routes, they should never be removed from the routing table, ever. If a link goes down, packets should still be sent to it, hit the ttl, and drop.

192.168.1.1                          192.168.3.1
HQ–------------ovpn-----------Site 1
(10.10.2.1)-----ovpn------(10.10.2.2)

HQ:
Gateway 10.10.2.2
Static route to reach 192.168.3.1 via 10.10.2.2 gateway

Site 1:
Gateway 10.10.2.1
Static route to reach 192.168.1.1 via 10.10.2.1 gateway

jimp

You should never use system static routes with OpenVPN, for exactly this reason. If you need to do routing across the VPN, you shouldn't be using tap/bridging.

dhatz

@jimp:

You should never use system static routes with OpenVPN, for exactly this reason.

What's the recommended way to do routing with OpenVPN on pfsense?

• push route via OpenVPN itself ?
• use OSPF ?

jimp

in peer to peer modes, use route statements in the advanced options of the VPN (or just use the 'remote network' box for a single remote network.

In remote access or multi-site modes, route statements or push routes.

dhatz

@jimp:

in peer to peer modes, use route statements in the advanced options of the VPN (or just use the 'remote network' box for a single remote network.

In remote access or multi-site modes, route statements or push routes.

Thx jimp,

Is there anything else to be aware of with regard to route statements, when OpenVPN p2p is deployed in a fail-over scenario ? (failover using either pf policy based routing or OSPF)

jimp

in a multi-tunnel failover scenario you do not use routes in the OS or route statements in OpenVPN - the routes are maintained by your routing daemon such as ospfd

dhatz

jimp, instead of using ospf, do you also use pf policy route to do the failover ? E.g. the scenario described at http://forum.pfsense.org/index.php?topic=53811.0

The concept seems pretty straight-forward in theory, but as usual I'm thinking more about any potential issues that could possibly come up in practice.

jimp

That would not give you full two-way routed connectivity over the VPN.

You either don't get a proper return route or you have to do NAT as the traffic leaves.

If you are only concerned with failover in one direction, it may be acceptable, but if you need fully routed two-way connectivity, you need a routing daemon.