Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Resolved] list of Local Networks not pushed to remote acces vpn clients

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Snailkhan
      last edited by

      Hi,
      I want to achieve split tunneling so that traffic destined from vpn clients to below networks is passed through tunnel.

      192.168.4.0/24,192.168.11.0/24,192.168.12.0/24, 192.168.13.0/24, these are specified in openvpn configuration in "IPv4 Local Network/s" field.

      However when the vpn clients connect non of above networks ( except 4.0/24 )  are reachable. traceroute and host routing table shows that  it is using locally installed default gateway and no route for those networks is pushed to clients.

      EDIT after it is resolved.
      Resolved by running openvpn client with admin privilidges

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Hi,
        what type of client is it?

        Are the subnets, which are not routed over vpn, part of the clients LAN network?

        Post your server and client config.

        1 Reply Last reply Reply Quote 0
        • S
          Snailkhan
          last edited by

          @viragomann:

          Hi,
          what type of client is it?

          Are the subnets, which are not routed over vpn, part of the clients LAN network?

          Post your server and client config.

          windows 7 using openvpn client (from client export wizard)

          regarding subnets .. these are client subnets on different interfaces on rotuer (one which is 192.168.4.0/24 and is accessible on vpn clients is on Lan interface.. 4 are virtual AP's broadcasted from a wifi adapter running in ap mode.

          ![1- open vpn confis.PNG](/public/imported_attachments/1/1- open vpn confis.PNG)
          ![1- open vpn confis.PNG_thumb](/public/imported_attachments/1/1- open vpn confis.PNG_thumb)
          ![2- open vpn confis.PNG](/public/imported_attachments/1/2- open vpn confis.PNG)
          ![2- open vpn confis.PNG_thumb](/public/imported_attachments/1/2- open vpn confis.PNG_thumb)
          ![3- open vpn confis.PNG](/public/imported_attachments/1/3- open vpn confis.PNG)
          ![3- open vpn confis.PNG_thumb](/public/imported_attachments/1/3- open vpn confis.PNG_thumb)
          ![4 interfaces.PNG](/public/imported_attachments/1/4 interfaces.PNG)
          ![4 interfaces.PNG_thumb](/public/imported_attachments/1/4 interfaces.PNG_thumb)

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            With this configuration all routes for your subnets should be pushed correctly.
            Have you check the client network? Do the subnets you are trying to push cross local subnets?
            Post the routing table.

            Maybe the settings are not added to the server config file properly. You can find it at /var/etc/openvpn/server1.conf for the first server, server2.conf for the second and so on.

            1 Reply Last reply Reply Quote 0
            • S
              Snailkhan
              last edited by

              for server1 below is output (server2 it says doesn't exists)

              dev ovpns1
              verb 1
              dev-type tun
              tun-ipv6
              dev-node /dev/tun1
              writepid /var/run/openvpn_server1.pid
              #user nobody
              #group nobody
              script-security 3
              daemon
              keepalive 10 60
              ping-timer-rem
              persist-tun
              persist-key
              proto udp
              cipher AES-256-CBC
              auth SHA1
              up /usr/local/sbin/ovpn-linkup
              down /usr/local/sbin/ovpn-linkdown
              client-connect /usr/local/sbin/openvpn.attributes.sh
              client-disconnect /usr/local/sbin/openvpn.attributes.sh
              local x.x.x.x
              tls-server
              server 192.168.99.0 255.255.255.0
              client-config-dir /var/etc/openvpn-csc
              username-as-common-name
              auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
              tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'mydnsname' 1 "
              lport 1195
              management /var/etc/openvpn/server1.sock unix
              max-clients 100
              push "route 192.168.4.0 255.255.255.0"
              push "route 192.168.11.0 255.255.255.0"
              push "route 192.168.12.0 255.255.255.0"
              push "route 192.168.13.0 255.255.255.0"
              push "route  0.0.0.0"
              push "dhcp-option DNS 192.168.4.10"
              ca /var/etc/openvpn/server1.ca
              cert /var/etc/openvpn/server1.cert
              key /var/etc/openvpn/server1.key
              dh /etc/dh-parameters.2048
              tls-auth /var/etc/openvpn/server1.tls-auth 0
              persist-remote-ip
              float

              while i do not have the output of routing table to show here but i checked vpn from two differnet systems and routes to other subnets were not pushed into routing table on both systems. i checked it multiple times.
              (checked on windows 7 and 8 )

              however i will post host routing table tomorrow when i get access to external network ..

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                If you have only one ovpn server configured there is only the server1.conf present.

                I don't understand the line

                push "route  0.0.0.0"
                

                in the server config. That is no correct push command, there is the subnet mask missing.
                Have you entered "0.0.0.0" at local networks?

                1 Reply Last reply Reply Quote 0
                • S
                  Snailkhan
                  last edited by

                  @viragomann:

                  If you have only one ovpn server configured there is only the server1.conf present.

                  I don't understand the line

                  push "route  0.0.0.0"
                  

                  in the server config. That is no correct push command, there is the subnet mask missing.
                  Have you entered "0.0.0.0" at local networks?

                  Here is route print result

                  ===========================================================================
                  Interface List
                  16…00 ff e4 d0 b3 28 ......TAP-Windows Adapter V9
                  11...b0 83 fe 65 a8 28 ......Realtek PCIe GBE Family Controller
                  14...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter
                    1...........................Software Loopback Interface 1
                  12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
                  13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
                  15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
                  17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

                  IPv4 Route Table

                  Active Routes:
                  Network Destination        Netmask          Gateway      Interface  Metric
                            0.0.0.0          0.0.0.0      10.11.26.49      10.11.26.62    276
                        10.11.26.48  255.255.255.240        On-link      10.11.26.62    276
                        10.11.26.62  255.255.255.255        On-link      10.11.26.62    276
                        10.11.26.63  255.255.255.255        On-link      10.11.26.62    276
                          127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
                          127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
                    127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                      192.168.56.0    255.255.255.0        On-link      192.168.56.1    266
                      192.168.56.1  255.255.255.255        On-link      192.168.56.1    266
                    192.168.56.255  255.255.255.255        On-link      192.168.56.1    266
                      192.168.99.4  255.255.255.252        On-link      192.168.99.6    276
                      192.168.99.6  255.255.255.255        On-link      192.168.99.6    276
                      192.168.99.7  255.255.255.255        On-link      192.168.99.6    276

                          224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
                          224.0.0.0        240.0.0.0        On-link      10.11.26.62    276
                          224.0.0.0        240.0.0.0        On-link      192.168.56.1    266
                          224.0.0.0        240.0.0.0        On-link      192.168.99.6    276
                    255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                    255.255.255.255  255.255.255.255        On-link      10.11.26.62    276
                    255.255.255.255  255.255.255.255        On-link      192.168.56.1    266
                    255.255.255.255  255.255.255.255        On-link      192.168.99.6    276

                  Persistent Routes:
                    Network Address          Netmask  Gateway Address  Metric
                            0.0.0.0          0.0.0.0      10.11.26.49  Default

                  IPv6 Route Table

                  Active Routes:
                  If Metric Network Destination      Gateway
                    1    306 ::1/128                  On-link
                  11    276 fe80::/64                On-link
                  14    266 fe80::/64                On-link
                  16    276 fe80::/64                On-link
                  14    266 fe80::2450:aaf9:b1fd:2c90/128
                                                      On-link
                  16    276 fe80::a5ca:eb89:d193:2b8b/128
                                                      On-link
                  11    276 fe80::e8bc:44bc:b736:2cd2/128
                                                      On-link
                    1    306 ff00::/8                On-link
                  11    276 ff00::/8                On-link
                  14    266 ff00::/8                On-link
                  16    276 ff00::/8                On-link

                  Persistent Routes:
                    None

                  1 Reply Last reply Reply Quote 0
                  • S
                    Snailkhan
                    last edited by

                    @Snailkhan:

                    @viragomann:

                    If you have only one ovpn server configured there is only the server1.conf present.

                    I don't understand the line

                    push "route  0.0.0.0"
                    

                    in the server config. That is no correct push command, there is the subnet mask missing.
                    Have you entered "0.0.0.0" at local networks?

                    Here is route print result

                    ===========================================================================
                    Interface List
                    16…00 ff e4 d0 b3 28 ......TAP-Windows Adapter V9
                    11...b0 83 fe 65 a8 28 ......Realtek PCIe GBE Family Controller
                    14...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter
                      1...........................Software Loopback Interface 1
                    12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
                    13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
                    15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
                    17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

                    IPv4 Route Table

                    Active Routes:
                    Network Destination        Netmask          Gateway      Interface  Metric
                              0.0.0.0          0.0.0.0      10.11.26.49      10.11.26.62    276
                          10.11.26.48  255.255.255.240        On-link      10.11.26.62    276
                          10.11.26.62  255.255.255.255        On-link      10.11.26.62    276
                          10.11.26.63  255.255.255.255        On-link      10.11.26.62    276
                            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
                            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
                      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                        192.168.56.0    255.255.255.0        On-link      192.168.56.1    266
                        192.168.56.1  255.255.255.255        On-link      192.168.56.1    266
                      192.168.56.255  255.255.255.255        On-link      192.168.56.1    266
                        192.168.99.4  255.255.255.252        On-link      192.168.99.6    276
                        192.168.99.6  255.255.255.255        On-link      192.168.99.6    276
                        192.168.99.7  255.255.255.255        On-link      192.168.99.6    276

                            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
                            224.0.0.0        240.0.0.0        On-link      10.11.26.62    276
                            224.0.0.0        240.0.0.0        On-link      192.168.56.1    266
                            224.0.0.0        240.0.0.0        On-link      192.168.99.6    276
                      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                      255.255.255.255  255.255.255.255        On-link      10.11.26.62    276
                      255.255.255.255  255.255.255.255        On-link      192.168.56.1    266
                      255.255.255.255  255.255.255.255        On-link      192.168.99.6    276

                    Persistent Routes:
                      Network Address          Netmask  Gateway Address  Metric
                              0.0.0.0          0.0.0.0      10.11.26.49  Default

                    IPv6 Route Table

                    Active Routes:
                    If Metric Network Destination      Gateway
                      1    306 ::1/128                  On-link
                    11    276 fe80::/64                On-link
                    14    266 fe80::/64                On-link
                    16    276 fe80::/64                On-link
                    14    266 fe80::2450:aaf9:b1fd:2c90/128
                                                        On-link
                    16    276 fe80::a5ca:eb89:d193:2b8b/128
                                                        On-link
                    11    276 fe80::e8bc:44bc:b736:2cd2/128
                                                        On-link
                      1    306 ff00::/8                On-link
                    11    276 ff00::/8                On-link
                    14    266 ff00::/8                On-link
                    16    276 ff00::/8                On-link

                    Persistent Routes:
                      None

                    regarding 0.0.0.0 route i have not entered it anywhere.

                    in "IPv4 Local Network/s" below is entered.
                    192.168.4.0/24,192.168.11.0/24,192.168.12.0/24, 192.168.13.0/24,

                    as shown in above snaps as well.

                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann
                      last edited by

                      So there isn't any route pushed to the client.

                      @Snailkhan:

                      in "IPv4 Local Network/s" below is entered.
                      192.168.4.0/24,192.168.11.0/24,192.168.12.0/24, 192.168.13.0/24,

                      as shown in above snaps as well.

                      Do you have a comma there at the end of the line? Try to delete it.

                      1 Reply Last reply Reply Quote 0
                      • S
                        Snailkhan
                        last edited by

                        @viragomann:

                        So there isn't any route pushed to the client.

                        @Snailkhan:

                        in "IPv4 Local Network/s" below is entered.
                        192.168.4.0/24,192.168.11.0/24,192.168.12.0/24, 192.168.13.0/24,

                        as shown in above snaps as well.

                        Do you have a comma there at the end of the line? Try to delete it.

                        yes no route is pused to the clients. i had a comma at the end removed it.. still same issue.
                        attached are ip settings.
                        i cannnot ping the dhcp server ip shown above when on vpn since no route to it is installed and default route to takes it via local network.

                        ![vpn network ip settings.PNG](/public/imported_attachments/1/vpn network ip settings.PNG)
                        ![vpn network ip settings.PNG_thumb](/public/imported_attachments/1/vpn network ip settings.PNG_thumb)

                        1 Reply Last reply Reply Quote 0
                        • D
                          Danixu86
                          last edited by

                          Maybe is a stupid question but, have you executed the openvpn client as administrator? (right click -> run as administrator). The routes cannot be added as normal user.

                          I've a similar configuracion on my server and using this config file is working:

                          remote serverIP port
                          client
                          resolv-retry infinite
                          
                          ;dev tap
                          dev tun
                          
                          ;proto tcp
                          proto udp
                          
                          nobind
                          
                          # Try to preserve some state across restarts.
                          persist-key
                          persist-tun
                          
                          # Verifica que el servidor tiene certificado del tipo Server
                          ns-cert-type server
                          
                          # Clave TLS del servidor
                          tls-auth tls-file.key 1
                          
                          # Configuración del cliente
                          #tls-client
                          
                          ca ServerCA.crt
                          cert User.crt
                          key User.key
                          
                          # Opciones de conexión con el servidor
                          cipher AES-256-CBC
                          link-mtu 1558
                          keysize 256
                          comp-lzo
                          
                          # Set log file verbosity.
                          verb 3
                          

                          Running as admin on a Windows client the routes are pushed from server without problem.

                          Greetings!!

                          1 Reply Last reply Reply Quote 0
                          • S
                            Snailkhan
                            last edited by

                            @Danixu86:

                            Maybe is a stupid question but, have you executed the openvpn client as administrator? (right click -> run as administrator). The routes cannot be added as normal user.

                            I've a similar configuracion on my server and using this config file is working:

                            remote serverIP port
                            client
                            resolv-retry infinite
                            
                            ;dev tap
                            dev tun
                            
                            ;proto tcp
                            proto udp
                            
                            nobind
                            
                            # Try to preserve some state across restarts.
                            persist-key
                            persist-tun
                            
                            # Verifica que el servidor tiene certificado del tipo Server
                            ns-cert-type server
                            
                            # Clave TLS del servidor
                            tls-auth tls-file.key 1
                            
                            # Configuración del cliente
                            #tls-client
                            
                            ca ServerCA.crt
                            cert User.crt
                            key User.key
                            
                            # Opciones de conexión con el servidor
                            cipher AES-256-CBC
                            link-mtu 1558
                            keysize 256
                            comp-lzo
                            
                            # Set log file verbosity.
                            verb 3
                            

                            Running as admin on a Windows client the routes are pushed from server without problem.

                            Greetings!!

                            Awesome as soon as i ran it OpenVPN utility with admin privileges routes were pushed properly

                            thanks a lot.

                            1 Reply Last reply Reply Quote 0
                            • D
                              Danixu86
                              last edited by

                              You're welcome  ;)

                              The best for final users is to configure the app to run as administrator always (Right click -> properties -> Compatibility -> Run as admin), or just enable the service on services manager to connect at windows startup.

                              Greetings!!

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.