Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

Troubleshooting OpenVPN Internal Routing (iroute)

When configuring a site-to-site PKI (SSL) OpenVPN setup, an internal route must be configured for the client subnet on the Client Specific Overrides tab set for the client certificate’s common name, using either the IPv4/IPv6 Remote Network/s boxes or manually using an iroute statement in the advanced settings. Each network listed in the IPv4 Remote Network/s and IPv4 Remote Network/s boxes will have an iroute created automatically.

Next, ensure that the common name matches and that the internal route is being learned/added as it should be. Log verbosity in OpenVPN may need increased to see if this is working. On Status > OpenVPN the internal routing for the OpenVPN server may also be viewed while the client is connected.

For each network that needs an iroute statement, the server definition must also have the same network(s) listed as IPv4/IPv6 Remote Networks or as route statements in the advanced options box.

For example:

  • Server1 custom options:

    push "route a.a.a.0 255.255.255.0";
    route b.b.b.0 255.255.255.0;
    
  • Client Specific Overrides for Common Name client1:

    • IPv4 Remote Network/s set to b.b.b.0/24 -OR-

    • Advanced options:

      iroute b.b.b.0 255.255.255.0;
      

client1 custom options:

(blank -- no route statements needed)

On the server side, every iroute needs a corresponding route. The route entries are for the OS to know that the subnet(s) should be routed to OpenVPN from at the OS level. The iroute statements are internal to OpenVPN, so it knows which network goes to which client based on its certificate.

See Also: