Multi-WAN, OpenVPN, and routes/iroutes


  • LAYER 8 Netgate

    I was hoping to be able to control what networks my OpenVPN clients routed back over the VPN by pushing routes to them from the server config.

    This works until a client has Multi-WAN.

    With Multi-WAN, (a gateway group defined as the gateway on LAN rules) the negate_networks alias is only populated with the networks listed in the client openvpn config under IPv4 Remote Network/s.  Any routes pushed to the client by the server, but not specifically configured as a remote network in the client, are routed out the gateway group and not over openvpn even though the proper route to the openvpn instance (ie. ovpnc1) exists.

    Did my testing on 2.1.5.


  • LAYER 8 Netgate

    This is a known limitation, huh.

    https://doc.pfsense.org/index.php/Multi-WAN_2.0#Policy_Route_Negation

    I guess a reasonable practice would be to always define at least a management network in IPv4 Remote Networks on your client so you can get in and add other networks if you have to go Multi-WAN on the client side.

    Something like this also seems reasonable and seems to work.  (Screenshots aren't uploading):

    
    IPv4 * 	LAN net 	* 	RFC1918		* 	* 	none 	  	Add private destinations to negate for VPN traffic
    IPv4 * 	LAN net 	* 	* 	* 	WANGROUP 	none 	  	Default allow LAN to any rule 
    
    

Log in to reply