Below is the server config:
server
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_xxx.crt
key /etc/openvpn/easy-rsa/pki/private/server_xxx.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# push "route 10.8.0.0/24"
push "route 192.168.20.0 255.255.255.0"
push "route 192.168.10.0 255.255.255.0"
route 192.168.20.0 255.255.255.0 10.8.0.2 1
route 192.168.10.0 255.255.255.0 10.8.0.2 1
# Prevent DNS leaks on Windows
# push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
# push "redirect-gateway def1"
client-to-client
keepalive 10 120
remote-cert-tls client
# tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Client config directory
client-config-dir /etc/openvpn/ccd
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_xxx.crt
key /etc/openvpn/easy-rsa/pki/private/server_xxx.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# push "route 10.8.0.0/24"
push "route 192.168.20.0 255.255.255.0"
push "route 192.168.10.0 255.255.255.0"
route 192.168.20.0 255.255.255.0 10.8.0.2 1
route 192.168.10.0 255.255.255.0 10.8.0.2 1
# Prevent DNS leaks on Windows
# push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
# push "redirect-gateway def1"
client-to-client
keepalive 10 120
remote-cert-tls client
# tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Client config directory
client-config-dir /etc/openvpn/ccd
With the Edge router having the following settings:
edge
openvpn vtun1 {
hash sha256
mode client
openvpn-option "--tls-auth /config/auth/ta.key 0"
openvpn-option --comp-lzo
openvpn-option "--verb 3"
openvpn-option "--cipher AES-256-CBC"
openvpn-option "--verify-x509-name server_xxx name"
openvpn-option "--remote-cert-tls server"
openvpn-option --persist-tun
openvpn-option --persist-key
openvpn-option --nobind
openvpn-option "--resolv-retry infinite"
openvpn-option "--key-direction 1"
protocol udp
remote-host xxx
remote-port 1194
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/xxx.crt
key-file /config/auth/xxx.key
}
}
hash sha256
mode client
openvpn-option "--tls-auth /config/auth/ta.key 0"
openvpn-option --comp-lzo
openvpn-option "--verb 3"
openvpn-option "--cipher AES-256-CBC"
openvpn-option "--verify-x509-name server_xxx name"
openvpn-option "--remote-cert-tls server"
openvpn-option --persist-tun
openvpn-option --persist-key
openvpn-option --nobind
openvpn-option "--resolv-retry infinite"
openvpn-option "--key-direction 1"
protocol udp
remote-host xxx
remote-port 1194
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/xxx.crt
key-file /config/auth/xxx.key
}
}
The connection works without any issues, i can VPN to the ubuntu and access the edgerouter network and access the vpn server via the edge router network.
The issue is that once the VPN connects it creates a connection route:
C *> 0.0.0.0/4 is directly connected, vtun1
C 0.0.0.0/4 is directly connected, vtun1
this is causing issues with some traffic trying load through the VPN and causing connection issues.
On the router i have tried to add the following with no changes
--route-nopull
--route-noexec
If there a way for the OpenVPN not to push the connection route or to change it so the connection route is 10.8.0.0/24 instead of 0.0.0.0/4?
Or am i doing something wrong with how i have set it up causing it to create a connection route of 0.0.0.0/4
Any help would be great