Currently on 25.1.12. I have an OpenVPN instance used by a couple remote devices (console server devices) -- my issue is the clients each get a subnet routed to them via Remote Network, but that isn't working. Setup info below:
Instance:
Server: 10.0.3.192/27 -- IP's used for clients to connect
Topology: Subnet
Local network: 10.0.250.0/24 -- Route pushed to clients
Remote network: Blank
Client Specific Overrides:
Common name: consolevpn3
Remote Network: 10.0.249.64/27
The client connects fine. From the main 250 network, I can get to the client VPN IP in 10.0.3.x and manage the device. The remote device has the route to the Local Network, the main 250 subnet, and it can get to other stuff in the main 250 network. The remote network shows up under Connection Status -> Routes, but it doesn't work -- it's not in the route table under System->Routes->Status (and doesn't show up in 'netstat -rn' either) -- and the main network NOT get to the remote LAN devices (including the LAN IP of the device itself). In fact, I can prove using tcpdump on the Opnsense that it is sending that Remote Network out the default route -- so this seems like an OpenVPN and/or routing issue, not a firewall/filter issue.
I'm sure I'm missing something obvious, but I haven't found it yet.
You have to state each remote network in the server at "Remote Network".
This sets the route in the OPNsense routing table.
Additionally you need the Client Specific Overrides for each to route the traffic properly inside OpenVPN.
Oh? So you're saying at the Instance I need to enter, eg, 10.0.249.0/24, and then a client-specific override of 10.0.249.64/27 ?
Normally that "remote network" option will cause the OpenVPN server process to enter a route in the OS routing table, and then route the block to the client -- which in the above case would mean I'd get two routes, 10.0.249.0/24 and 10.0.249.64/27 both routed to the client. What I want is /27's routed to each of several clients, as I have several of these boxes out there.
I'll give it a try -- nothing to lose at this point LOL.
UPDATE: I looked at the server config file, /var/etc/openvpn/instance-<guid>.conf -- I see the following line:
client-config-dir /var/etc/openvpn-csc/1
That's where I would expect to see the Client-Specific Override files. That directory exists, but its empty. Obviously that's my issue -- the OpenVPN configuration isn't picking up the client config at all. In fact I have 3 separate Client Specific Overrides configured in the GUI, none of them show up in any of the client-config-dir's, meaning /var/etc/openvpn-csc/*/ -- there's no files in any of those.
I think this might be a bug?
Quote from: msturtz on July 27, 2025, 07:05:39 PMOh? So you're saying at the Instance I need to enter, eg, 10.0.249.0/24, and then a client-specific override of 10.0.249.64/27 ?
Normally that "remote network" option will cause the OpenVPN server process to enter a route in the OS routing table, and then route the block to the client
Yeah, that's exactly, what it needs.
As mentioned, the further routing is done inside OpenVPN.
Quote from: msturtz on July 27, 2025, 07:18:33 PMUPDATE: I looked at the server config file, /var/etc/openvpn/instance-<guid>.conf -- I see the following line:
client-config-dir /var/etc/openvpn-csc/1
As far as I know, the client files are stored in a subdirectory named <guid>, the same as the instance, they belong to.
Quote from: viragomann on July 27, 2025, 07:26:48 PMYeah, that's exactly, what it needs.
As mentioned, the further routing is done inside OpenVPN.
Right. But OpenVPN enters a route into the OS, which isn't happen. A Client-Specific-Override is basically appended to the server config when a matched client connects. So the main server config doesn't have a "remote network" defined, but when a client-config is matched, that config is effectively part of the server config.
Quote from: viragomann on July 27, 2025, 07:26:48 PMclient-config-dir /var/etc/openvpn-csc/1
As far as I know, the client files are stored in a subdirectory named <guid>, the same as the instance, they belong to.
The OpenVPN process is reading the instance<guid>.conf file, you can see that by running "ps -aux |grep openvpn". In my case, that config file is specifying /var/etc/openvpn-csc/1/ for client specific overrides, and that directory exists. I have those configured in the GUI, but they don't exist in that directory.
I'll try it again. There are two different related things you need for this:
Remote Network in the OpenVPN server settings
This add a route to the OS routing table pointing to the first OpenVPN client IP.
Remote Network in the CSO
This sets the route inside the OpenVPN service.
You cannot see this in the routing table!
Crating a CSO with remote networks only does not route any traffic to anywhere.
I fiddled with it for a while, but the upshot is, you're correct. I listed the entire /24 I intend for remote these remote sites under "Remote Network" on the Instance config, while leaving the original /27 under "Remote Network" on the CSO. This works. The /24 shows up on OPNsense's route table, and IP's on the /27 are reachable from the HQ network. I thought this might create a duplicate route, so I powered on a second box which should get a different /27 out of the same /24. I don't know if this is recommended or not (/24 on Instance page, /27 on CSO), but it appears to work as intended.
I think this is very confusing -- and I don't think it's how stock OpenVPN works, although I've been using it on appliances (as opposed to setting it up myself from scratch) for so long the config syntax may have changed. But regardless, the two settings are named exactly the same. It's logical to assume that a Client Specific Override would override a setting of the same name from the Instance config, so leaving "Remote Network" blank on the Instance, and specifying it as an Override, would make sense.
I updated my bug report to instead be a documentation improvement.
Quote from: msturtz on July 28, 2025, 12:59:02 AMI don't know if this is recommended or not (/24 on Instance page, /27 on CSO), but it appears to work as intended.
This is fine.
You can also specify multiple remote networks in the server settings for different client sites.
Quote from: msturtz on July 28, 2025, 12:59:02 AMI think this is very confusing -- and I don't think it's how stock OpenVPN works
It is though.
The remote network in the CSO sets the iroute option in OpenVPN, but doesn't add any routes to the OS routing table.
See Client Specific Overrides (https://docs.opnsense.org/manual/vpnet.html#client-specific-overrides) in the docs.
QuoteIPv[4|6] Remote Network
These are the networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established.