From 6b486bac32699ba9d7f8abc5a4201e5a8a4fec41 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 14 Sep 2025 12:01:34 +0200 Subject: [PATCH] ovpnmain.cgi: Manually push a different gateway for static pools This is because in "topology subnet", ifconfig-push is massively broken. The client is not able to configure any routes correctly by pointing them to the interface. Instead it is trying to use the gateway address from the dynamic pool as gateway which cannot be reached if the client only has an IP address from another subnet. Pushing host routes is not supported, so we have to create a hack here and pretend that there is a gateway in the static pool somewhere. Signed-off-by: Michael Tremer --- html/cgi-bin/ovpnmain.cgi | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index ccf46fb02..b40f5ee1e 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -605,7 +605,6 @@ sub write_ccd_configs() { foreach my $key (keys %conns) { my $name = $conns{$key}[1]; my $type = $conns{$key}[3]; - my $gateway = ""; # Skip anything that isn't a host connection next unless ($type eq "host"); @@ -637,12 +636,25 @@ sub write_ccd_configs() { # The gateway is always the first address in the network # (this is needed to push any routes below) - $gateway = &Network::find_next_ip_address($netaddr, 1); + my $gateway = &Network::find_next_ip_address($netaddr, 1); if (defined $address && defined $network && defined $netmask) { print CONF "# Allocated IP address from $pool\n"; - print CONF "ifconfig-push ${address} ${netmask}\n\n"; + print CONF "ifconfig-push ${address} ${netmask}\n"; } + + # Push the first address of the static pool as the gateway. + # Withtout this pushed, the client will receive the first IP address + # of the dynamic pool which will cause problems later on: + # Any additional routes won't be able to reach the dynamic gateway + # but pushing a host route is not possible, because the OpenVPN client + # does not seem to understand how a layer 3 VPN works. + if (defined $gateway) { + print CONF "push \"route-gateway ${gateway}\"\n"; + } + + # End the block + print CONF "\n"; } # Redirect Gateway? @@ -714,7 +726,7 @@ sub write_ccd_configs() { next; } - print CONF "push \"route $netaddress $netmask $gateway\"\n"; + print CONF "push \"route $netaddress $netmask\"\n"; } # Newline -- 2.47.3