Print Page - OPNsense 25.7.9 | OpenVPN TAP sempre cria gateway local

Title: OPNsense 25.7.9 | OpenVPN TAP sempre cria gateway local
Post by: glgontijo on December 11, 2025, 09:54:34 PM

Olá pessoal,

Preciso que a VPN TAP (é... tem que ser TAP) não crie o gateway default (rota 0.0.0.0).
Já tentei "route-nopull", "route-noexec" (servidor, cliente via CSC, arquivo de exportação).

Vamos especificar o que eu preciso.

Clientes autenticam com usuário e senha (freeradius, até aqui está perfeito)
Somente clientes com configuração do CSC podem autenticar na VPN
Clientes recebem IP da LAN via CSC
Somente as rotas da LAN devem ser criadas no cliente. Mas ele cria a rota default e com métrica abaixo da já existente. AQUI ESTÁ MEU PROBLEMA!

Seguem os arquivos (editei para remover dados sensíveis)

Servidor: # cat /var/etc/openvpn/*.conf | sed -n '1,200p'
dev ovpns1
ping-timer-rem
topology subnet
dh /usr/local/etc/inc/plugins.inc.d/openvpn/dh.rfc7919
verify-client-cert require
remote-cert-tls client
server-bridge
username-as-common-name
client-config-dir /var/etc/openvpn-csc/1
auth-user-pass-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py --defer '29533187-c920-428c-b82f-6fd2c670ad14'" via-env
learn-address "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '1'"
client-disconnect "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '29533187-c920-428c-b82f-6fd2c670ad14'"
tls-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '29533187-c920-428c-b82f-6fd2c670ad14'"
multihome
push "explicit-exit-notify"
push "route 172.16.0.0 255.255.0.0"
route 172.16.0.0 255.255.0.0
persist-tun
persist-key
keepalive 10 60
dev-type tap
dev-node /dev/tap1
script-security 3
writepid /var/run/ovpn-instance-29533187-c920-428c-b82f-6fd2c670ad14.pid
daemon openvpn_server1
management /var/etc/openvpn/instance-29533187-c920-428c-b82f-6fd2c670ad14.sock unix
proto udp4
verb 7
disable-dco
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
port 1194
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-256-GCM
block-ipv6
float
explicit-exit-notify
fast-io
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

Cliente CSC: # cat /var/etc/openvpn-csc/1/guilherme.gontijo@uftm.edu.br | sed -n '1,200p'
ifconfig-push 172.16.7.2 255.255.0.0

Arquivo Exportado:
dev tap
persist-tun
persist-key
data-ciphers-fallback AES-256-GCM
client
resolv-retry infinite
remote 186.248.203.214 1194 udp4
remote 200.131.62.250 1194 udp4
lport 0
verify-x509-name "C=BR, ST=MG, L=Uberaba, O=UFTM, OU=PROTIC, CN=vpnserver-certificate.uftm.br" subject
remote-cert-tls server
auth-user-pass
auth-nocache
route-noexec
route-nopull
<ca>
-----BEGIN CERTIFICATE-----

OBS.: Chat GPT e Gemini não conseguiram me ajudar nessa... kkkk

OPNsense Forum

International Forums => Portuguese - Português => Topic started by: glgontijo on December 11, 2025, 09:54:34 PM