ovpnmain.cgi: Manually push a different gateway for static pools

This is because in "topology subnet", ifconfig-push is massively broken.
The client is not able to configure any routes correctly by pointing
them to the interface. Instead it is trying to use the gateway address
from the dynamic pool as gateway which cannot be reached if the client
only has an IP address from another subnet. Pushing host routes is not
supported, so we have to create a hack here and pretend that there is a
gateway in the static pool somewhere.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index ccf46fb02f62fad630fe65094bed254c3c8735d2..b40f5ee1e3082847be2449e0d1a55b4c1ffa957a 100644 (file)
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -605,7 +605,6 @@ sub write_ccd_configs() {
        foreach my $key (keys %conns) {
                my $name = $conns{$key}[1];
                my $type = $conns{$key}[3];
-               my $gateway = "";
 
                # Skip anything that isn't a host connection
                next unless ($type eq "host");
@@ -637,12 +636,25 @@ sub write_ccd_configs() {
 
                        # The gateway is always the first address in the network
                        # (this is needed to push any routes below)
-                       $gateway = &Network::find_next_ip_address($netaddr, 1);
+                       my $gateway = &Network::find_next_ip_address($netaddr, 1);
 
                        if (defined $address && defined $network && defined $netmask) {
                                print CONF "# Allocated IP address from $pool\n";
-                               print CONF "ifconfig-push ${address} ${netmask}\n\n";
+                               print CONF "ifconfig-push ${address} ${netmask}\n";
                        }
+
+                       # Push the first address of the static pool as the gateway.
+                       # Withtout this pushed, the client will receive the first IP address
+                       # of the dynamic pool which will cause problems later on:
+                       # Any additional routes won't be able to reach the dynamic gateway
+                       # but pushing a host route is not possible, because the OpenVPN client
+                       # does not seem to understand how a layer 3 VPN works.
+                       if (defined $gateway) {
+                               print CONF "push \"route-gateway ${gateway}\"\n";
+                       }
+
+                       # End the block
+                       print CONF "\n";
                }
 
                # Redirect Gateway?
@@ -714,7 +726,7 @@ sub write_ccd_configs() {
                                        next;
                                }
 
-                               print CONF "push \"route $netaddress $netmask $gateway\"\n";
+                               print CONF "push \"route $netaddress $netmask\"\n";
                        }
 
                        # Newline