Troubleshooting OpenVPN Internal Routing (iroute)

For a site-to-site PKI (SSL) OpenVPN setup with a tunnel network larger than /30, OpenVPN must have an internal route for the client subnet. Without the internal route, the firewall will forward traffic into OpenVPN but OpenVPN will drop the traffic as it has no way to determine the proper destination. There are a couple common scenarios where this may have difficulties.

The Remote Network (route) definitions on the server settings inform the firewall operating system that the networks must be routed to an OpenVPN instance. The Remote Network (iroute) options on the Client Specific Override inform OpenVPN internally which networks are associated with a specific client certificate.

Check Internal Route Configuration

Internal routes are set by a Client Specific Overrides entry which matches the client certificate common name. In the override, the IPv4/IPv6 Remote Network/s boxes can setup this internal routing, or it can be performed manually using an iroute statement in the advanced settings.

The firewall creates iroute statements automatically for each network listed in the IPv4 and IPv6 Remote Network/s fields of an override.

Next, ensure that the common name matches and that OpenVPN is learning the internal route as it should be. Log verbosity in OpenVPN may need increased to see if this is working. On Status > OpenVPN the internal routing for the OpenVPN server may also be viewed while the client is connected.

For each network that needs an iroute statement, the server definition must also have the same network(s) listed as IPv4/IPv6 Remote Networks or as route statements in the Custom options box.

Example Configuration

This is a basic example which demonstrates routing a single subnet to a specific client.

  • Server1 custom options:

    push "route a.a.a.0 255.255.255.0";
    route b.b.b.0 255.255.255.0;
    
  • Client Specific Overrides for Common Name client1:

    • IPv4 Remote Network/s set to b.b.b.0/24 OR

    • Advanced options:

      iroute b.b.b.0 255.255.255.0;
      

client1 custom options:

(blank -- no route statements needed)

Single Client Strategy Without Internal Routing

For a site-to-site setup between only two locations, the tunnel network can be a /30 so that OpenVPN uses peer-to-peer mode and does not require iroute statements to reach client networks. In this case, use the IPv4/6 Remote Network/s on both sides to setup the routes and there is no need for an override.

See also

See the note at IPv4/IPv6 Tunnel Network for more information.