OPNsense Forum

English Forums => General Discussion => Topic started by: ikkeT on July 15, 2019, 08:42:24 pm

Title: Route behind openvpn client
Post by: ikkeT on July 15, 2019, 08:42:24 pm

Hi,

I have a RasPi client which connects fine to openvpn in OPNSense. And raspi routes fine to my homenet. I'd like to route back to net behind raspi. OPNSense is the default gw at home.  How to do this?

I tried adding router into opnsense list of routes. Somehow it didn't work. How should be this done?

Let's assume home net is:
192.168.100.0/24, opnsense is 192.168.100.1

OpenVPN net is:
192.168.200.0/24, where both opnsense and client get addresses. Let's assume they would be .2 and .3. These are not static btw.

RasPi is in net:
192.168.300.0/24

How do I tell opnsense to route to 192.168.300.0 via 192.168.203?

Title: Re: Route behind openvpn client
Post by: ikkeT on July 15, 2019, 10:42:16 pm

There seems to be client specific overrides, which could enable setting routes. I'll try tomorrow.

Title: Re: Route behind openvpn client
Post by: ikkeT on July 16, 2019, 02:42:54 pm

This is probably a bit buggy. I added client specific overrides. Firstly, a separate network just to make sure the client get's the .1 for that network. Secondly, I filled the "IPv4 Remote Network" field with client's own network. However this didn't create any routes into OPNsense, nor can I even ping the machine from other. Client can not access any of the services in OPNSense LAN network.

I see the Firewall does not create rules for OpenVPN network other than the server default. So I removed the client specific ipv4 network to get the client back to openvpn default net. Now I can again ping the LAN machines from client.

But... still, OPNSense doesn't create the routes for client network. So site to site doesn't work towards client network. Isn't this a bug?

Title: Re: Route behind openvpn client
Post by: ikkeT on July 16, 2019, 04:34:21 pm

I see the GUI generates client specific lines to /var/etc/openvpn-csc/1/impipi file:

iroute 192.168.1.0 255.255.255.0
push "redirect-gateway def1"
push "redirect-gateway def1"

and I see from log that the interna route (iroute) get's applied into openvpn:

openvpn[10947]: impipi/37.130.YYY.X:57049 MULTI: internal route 192.168.1.0/24 -> impipi/37.130.YYY.X:57049

but the host route is not created. Everything works if I do manually:

route add -net 192.168.1.0/24 192.168.118.3

So question is, how to make OPNSense create that route? How to get it done automatically at client connect?

For details, my other clients are laptops and mobiles, so the openvpn server type is: Remote access SSL/TLS + user auth.