Routes are not learned through OpenVPN site-to-site configuration

[TotallyMonica]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

While setting up a site-to-site VPN utilizing OpenVPN, routes were not being properly learned, requiring manual addition through the CLI and/or WebGUI.

To Reproduce

Steps to reproduce the behavior:

1. Configure OpenVPN on relevant OPNsense instances as per https://docs.opnsense.org/manual/how-tos/sslvpn_instance_s2s.html
2. Visit VPN -> OpenVPN -> Connection Status on either instance
3. Observe that either end report ERROR: FreeBSD route add command failed: external program exited with error status: 1
4. Visit System -> Routes -> Configuration
5. Observe that the only routes learned are the OpenVPN tunnel network, not any of the site networks.
6. Upon shutdown of OpenVPN, observe that either end report ERROR: FreeBSD route delete command failed: external program exited with error status: 1

Expected behavior

Routes are learned successfully through proper configuration of the OpenVPN server

Describe alternatives you considered

Accessing the CLI on both routers and running route add $network_in_cidr_format $destination_ovpn_ip_address completed successfully and correctly, after deleting using the relevant command and using the web GUI it added successfully as well, persisting after reboots

Screenshots

Server configuration:

Server routes learned (Via VPN -> OpenVPN -> Connection Status -> Routes)

Server routes learned (Via System -> Routes -> Status)

Client configuration:

Client routes learned (Via VPN -> OpenVPN -> Connection Status -> Routes)

Client routes learned (Via System -> Routes -> Status)

Relevant log files

Server OpenVPN logs:

2024-02-22T09:41:39-06:00	Warning	openvpn_server1	 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22T09:41:39-06:00	Warning	openvpn_server1	 WARNING: --keepalive option is missing from server config
2024-02-22T09:40:29-06:00	Error	openvpn_server1	 event_wait : Interrupted system call (fd=-1,code=4)
2024-02-22T09:34:58-06:00	Warning	openvpn_server1	 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22T09:34:58-06:00	Warning	openvpn_server1	 WARNING: --keepalive option is missing from server config
2024-02-22T09:34:55-06:00	Error	openvpn_server1	 event_wait : Interrupted system call (fd=-1,code=4)
2024-02-22T09:34:40-06:00	Warning	openvpn_server1	 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22T09:34:40-06:00	Warning	openvpn_server1	 WARNING: --keepalive option is missing from server config

Client OpenVPN logs:

2024-02-22T09:41:54-06:00	Warning	openvpn_client1	 ERROR: FreeBSD route add command failed: external program exited with error status: 1
2024-02-22T09:41:54-06:00	Warning	openvpn_client1	 ERROR: FreeBSD route add command failed: external program exited with error status: 1
2024-02-22T09:41:53-06:00	Warning	openvpn_client1	 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22T09:41:53-06:00	Warning	openvpn_client1	 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-02-22T09:39:36-06:00	Warning	openvpn_client1	 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22T09:39:36-06:00	Warning	openvpn_client1	 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-02-22T09:37:33-06:00	Warning	openvpn_client1	 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22T09:37:33-06:00	Warning	openvpn_client1	 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-02-22T09:35:18-06:00	Warning	openvpn_client1	 ERROR: FreeBSD route add command failed: external program exited with error status: 1
2024-02-22T09:35:16-06:00	Warning	openvpn_client1	 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22T09:35:16-06:00	Warning	openvpn_client1	 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-02-22T09:35:14-06:00	Warning	openvpn_client1	 ERROR: FreeBSD route add command failed: external program exited with error status: 1
2024-02-22T09:35:14-06:00	Warning	openvpn_client1	 ERROR: FreeBSD route delete command failed: external program exited with error status: 1

Note: Logs have been truncated due to their length. I am willing to provide full logs upon request.

Additional context

This has been performed in a virtual environment on VMware Workstation 16 Pro. Due to everything being virtualized and no sensitive information being used in these, I am willing to provide the configuration used on both the client and server endpoints to facilitate troubleshooting.

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 24.1.2_1 (amd64). Intel Core i5-1135G7 (each VM has 4 cores) NICs: Intel 82545EM (Emulated through VMware) OpenVPN version: 2.6.9 Server network: 192.168.184.1/24 Client network: 192.168.208.1/24 OpenVPN tunnel network: 10.150.199.0/24

[mimugmail]

You need a client specific override with CN and set remote network there too

[TotallyMonica]

While it wasn't shown before, I do have that already on the server side, again configured as per the documentation

[TotallyMonica]

I realized my prior screenshot didn't show the CSO settings, so here's the actual settings

[CitraIT]

Please, select the proper tunnel in the field "Servers". It solved for me.

[bicisteadm]

Has anyone managed to solve it? I currently have the same problem. Proper tunnel in the field "Servers" i have selected.

[Abraka]

Same here: Warning openvpn_client1 ERROR: FreeBSD route add command failed: external program exited with error status: 1 Notice openvpn_client1 /sbin/route add -net 192.168.5.0 10.100.10.1 255.255.255.0 Notice openvpn_client1 /sbin/route add -net 192.168.5.0 10.100.10.1 255.255.255.0

[OPNsense-bot]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.