OPNsense Forum

Hello guys,

I need the TAP VPN (it's... it has to be TAP) not create the default gateway (route 0.0.0.0).
I've tried "route-nopull", "route-noexec" (server, client via CSC, export file).

Let's specify what I need.

• Customers authenticate with user and password (freeradius, so far it is perfect)
• Only customers with CSC configuration can authenticate on the VPN
• Customers receive IP from LAN via CSC
• Only LAN routes must be created on the customer. But it creates the default route and with metric below the existing one. HERE IS MY PROBLEM!

Follow the files (I edited to remove sensitive data)

Server: # cat /var/etc/openvpn/*.conf | sed -n '1,200p'
dev ovpns1
ping-timer-rem
topology subnet
dh /usr/local/etc/inc/plugins.inc.d/openvpn/dh.rfc7919
verify-client-cert require
remote-cert-tls client
server-bridge
username-as-common-name
client-config-dir /var/etc/openvpn-csc/1
auth-user-pass-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py --defer '29533187-c920-428c-b82f-6fd2c670ad14'" via-env
learn-address "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '1'"
client-disconnect "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '29533187-c920-428c-b82f-6fd2c670ad14'"
tls-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '29533187-c920-428c-b82f-6fd2c670ad14'"
Multihome
push "explicit-exit-notify"
push "route 172.16.0.0 255.255.0.0"
route 172.16.0.0 255.255.0.0
persist-tun
persist-key
keepalive 10 60
dev-type tap
dev-node /dev/tap1
script-security 3
writepid /var/run/ovpn-instance-29533187-c920-428c-b82f-6fd2c670ad14.pid
daemon openvpn_server1
management /var/etc/openvpn/instance-29533187-c920-428c-b82f-6fd2c670ad14.sock unix
proto udp4
verb 7
disable-dco
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
port 1194
date-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-256-GCM
block-ipv6
float
explicit-exit-notify
fast-io
<tls-crypt>
#
#2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----


Client CSC: # cat /var/etc/openvpn-csc/1/guilherme.gontijo@uftm.edu.br | sed -n '1,200p'
ifconfig-push 172.16.7.2 255.255.0.0


Exported File:
dev tap
persist-tun
persist-key
data-ciphers-fallback AES-256-GCM
client
resolv-retry infinite
remote 186.248.203.214 1194 udp4
remote 200.131.62.250 1194 udp4
lport 0
verify-x509-name "C=BR, ST=MG, L=Uberaba, O=UFTM, OU=PROTIC, CN=vpnserver-certificate.uftm.br" subject
remote-cert-tls server
auth-user-pass
auth-nocache
route-noexec
route-nopull
<ca>
-----BEGIN CERTIFICATE-----


NOTE: Chat GPT and Gemini couldn't help me in this... kkkk 

Sorry for bad translation!

Just to update.
I've found this to be a specific behavior of NetworkManager.

How to solve:
In NetworkManager, within the imported connection, IPV4 tab > Routes, select the "Ignore routes obtained automatically" option. So the connection will only create the route to the VPN IP subnet. No default routes.
It is also possible to use another OpenVPN client, in case I tested with "OpenVPN Gui Connect" successfully, without having to ignore routes.

On Windows systems, you are not expected to have errors. But I'll still test. If you have a problem, I'll report it here.

I appreciate the space and then leave the resolution.

***
Sorry for poor translation