OPNsense 24.1.6 DHCP gateway removed by OpenVPN

[vec7or]

The network in question currently consists of two locations connected by a openvpn tap bridge. Since the update to opensense 24.1.6 the dhcp option 3 (default gateway or router) gets stripped when traffic passes through the bridge. This causes the clients in the other location to no longer be able to reach outside networks due to the missing default route.

Is there a possibility to retain the default gateway in order for all clients to be able to reach the internet?

I have had a look into the openvpn config files and suspect the `server-bridge` directive could be responsible for the removal but have found no option to remove this line from the config. I also tried different redirect-gateway options but to no avail.

[franco]

Hi,

I'm not sure I understand:

> dhcp option 3 (default gateway or router) gets stripped

The option is "stripped"? Is this a DHCRelay case or just that the gateway disappears (but is sent / unstripped).


Cheers,
Franco

[vec7or]

Hi

Sorry for not explaining it more thorougly. The network looks approximately like the one in the image attached. All traffic from client 3 and 4 are routed through the openvpn client into NET01 and then into the internet if necessary.

In order for this to work the ip of the opensense device needs to be set as default gateway inside the dhcp offers. However the offers received from Client 3 and 4 differ from the ones received by Client 1 and 2 in the sense that they do not contain a default gateway option. See attached images.

My current working theory is, that option 3 somehow gets removed by openvpn when the dhcp packets are travelling through the tunnel.

I hope this makes it a little more clear. Otherwise please feel free to ask.

[franco]

Ok so the router option is missing for your one part of your clients? Is this DHCP running over a TAP OpenVPN?


Cheers,
Franco

[vec7or]

Exactly. All Clients in NET02 do not get the DHCP router option.

DHCP is delivered over a OpenVPN TAP interface.

[franco]

It would be beneficial to check the ISC DHCP configuration first, because the gateway cannot be empty in the implementation (unless it's Kea or external which I haven't checked and you haven't said):

/var/dhcpd/etc/dhcpd.conf

See if there is an "option routers" for the network at hand.


Cheers,
Franco

[vec7or]

I am indeed currently using ISC. I tried switching to KEA which works well but still has the same problem. This lead me to believe that the VPN is the problem and not the DHCP service.

However as per your suggestion i checked the /var/dhcpd/etc/dhcpd.conf file and the option routers is present and correct for the network in question. Which is also supported by the fact that clients in NET01 get DHCP offers with the gateway correctly set.

Is there a possibility to manually override the OpenVPN configs to see if for example removing server-bridge has an impact?