Pushing routes
-
I do sucessfully push rules from OpenVPN server to OSX Client
If i try the same on my site2site OpenVPNs (pfsense on both sides) it doesnt work:
Server:
push "route 192.168.1.0 255.255.255.128";
If i enter the route on the client
route 192.168.1.0 255.255.255.128;
everything works like expected. What do i miss?
-
Need more details. Post a network map.
Post server1.conf and client1.conf.
-
I ask the other way round…
What makes the difference between:
Advanced (client):
route 192.168.1.0 255.255.255.128;
and
Advanced (server):
push "192.168.1.0 255.255.255.128";
The first works, the second doesnt (on the same OpenVPN connection).
-
Advanced (client):
route 192.168.1.0 255.255.255.128;
Tells the client to route 192.168.1.0/25 down the tunnel.
Advanced (server):
push "192.168.1.0 255.255.255.128";
This won't do anything, if this is really what you have… that's why it's not working... but I'm assuming you meant... push "route 192.168.1.0 255.255.255.128";
This pushes the route to the client on connection.From my perspective, having just the push route on the server "should" be enough, but for some reason in a site to site if you don't have the "push route" statement on the server AND the "route" statement on the client… it doesn't work. Or maybe it's sufficient to only have the route on the client and not the push route on the server, but the GUI generates statements on both ends, so I'm not sure.
Also, the advanced section is for additional options not covered in the GUI. You shouldn't need any routing statements in the advanced section as the route and push route statements are auto generated by the GUI via the "IPv4 Local Network/s" and "IPv4 Remote Network/s" fields.
-
yes i meant push "route…
I need to push some routes because i have more networks which are coupled via vpn to the vpn master.
So i need to add these route on the client.
Well, i can do that like now with the advanced statements (route xxx...) on the client. Im just curious why the push statement is not working an the site to site tun. Also its nicer to have all the route configs on the master, especially if you need to change something.
I use the same push statements on a roadwarrior tap tunnel, there they are working. This makes me wonder too.
Will post configs later .. maybe i got blind and do miss something ;)
-
Yes, I have realised this in the past - for site-to-site links. Mine have Remote Network/s list filled in on Server and Client end. Server end LOcal Network/s is blank. Client end has no Local Network/s field anyway.
Now I can't remember why the site-to-site client does not accept routes pushed from the server. -
Ok so its not a mistake on my side, its a "feature" ;) on pfsense side
Btw. i have server side remote and local networks filled in.
-
@phil: You seem to be one of the very knowing here ;) Would you be so nice and take a look on my tap problem. I got completely stuck https://forum.pfsense.org/index.php?topic=74179.0
Thanks a lot!
-
Well, i can do that like now with the advanced statements (route xxx…) on the client.
Yes, but my point was, presuming you're using v2.1, you no longer need to manually add route statements in the advanced section… starting in v2.1, you can add multiple networks to the "IPv4 Remote Network/s" and "IPv4 Local Network/s" in the GUI and it will generate the route statements for you. i.e. entering 192.168.1.0/24, 192.168.2.0/24 in the "IPv4 Remote Network/s" section on the client side, will auto generate the following route statements and add them to the config:
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0I agree with you though, once the client makes the connection it "should" get the push routes from the server... I'm not sure why you still need it on the client side for site to site setups... maybe a dev will chime in and let us know.
-
Ah! Im on 2.1 but didnt know about the multiple route possibility. Will try that later