Multi-WAN, OpenVPN, and routes/iroutes
-
I was hoping to be able to control what networks my OpenVPN clients routed back over the VPN by pushing routes to them from the server config.
This works until a client has Multi-WAN.
With Multi-WAN, (a gateway group defined as the gateway on LAN rules) the negate_networks alias is only populated with the networks listed in the client openvpn config under IPv4 Remote Network/s. Any routes pushed to the client by the server, but not specifically configured as a remote network in the client, are routed out the gateway group and not over openvpn even though the proper route to the openvpn instance (ie. ovpnc1) exists.
Did my testing on 2.1.5.
-
This is a known limitation, huh.
https://doc.pfsense.org/index.php/Multi-WAN_2.0#Policy_Route_Negation
I guess a reasonable practice would be to always define at least a management network in IPv4 Remote Networks on your client so you can get in and add other networks if you have to go Multi-WAN on the client side.
Something like this also seems reasonable and seems to work. (Screenshots aren't uploading):
IPv4 * LAN net * RFC1918 * * none Add private destinations to negate for VPN traffic IPv4 * LAN net * * * WANGROUP none Default allow LAN to any rule