From 771afe5726c4faef8efeea7e569b7537ed78c9aa Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 14 Sep 2025 12:08:58 +0200
Subject: [PATCH] ovpnmain.cgi: Add the option for the firewall to reach
 OpenVPN clients

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index b40f5ee1e..37b6de88b 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -653,6 +653,15 @@ sub write_ccd_configs() {
 				print CONF "push \"route-gateway ${gateway}\"\n";
 			}
 
+			# Add a host route for the dynamic pool gateway so that
+			# the firewall can reach the client without needing to assign
+			# the gateway IP address of the static pool to the tun interface.
+			$netaddr = &Network::get_netaddress($vpnsettings{'DOVPN_SUBNET'});
+			$gateway = &Network::find_next_ip_address($netaddr, 1);
+			if (defined $gateway) {
+				print CONF "push \"route ${gateway} 255.255.255.255\"\n";
+			}
+
 			# End the block
 			print CONF "\n";
 		}
-- 
2.47.3