Newer versions of OPNsense OpenVPN don't have a field for pushing custom routes to the OpenVPN client using CSO's (Client Specific Overrides).
So if you have a configuration that redirects all traffic over the OpenVPN tunnel and also want to add some custom routes to have some subnets excluded from being in the tunnel for a specific client you have to choose another way.
So as a work around on Windows 11 I added the following redirect-gateway and route options to the ovpn file downloaded from OPNsense
The net_gateway parameter seems to be supported by the OpenVPN Connect client on Windows 11 (and MacOS) and I can successfully contact devices on the subnets excluded from going across the tunnel.
dev tun
persist-tun
persist-key
client
resolv-retry infinite
remote vpn.example.com 1194 udp
lport 0
verify-x509-name "C=AU, ST=Sydney, L=Robertson, O=Toggen Group Pty Ltd, [email protected], CN=opnsense-openvpn-server-cert" subject
remote-cert-tls server
auth-user-pass
redirect-gateway def1 ipv6
route 10.20.81.0 255.255.255.0 net_gateway
route 10.81.81.0 255.255.255.0 net_gateway
route 192.168.74.0 255.255.255.0 net_gateway
<ca>
-----BEGIN CERTIFICATE-----
MIIEYzCCA0ugAwIBAgIBADANBgkqhkiG9w0BAQsFADCBpDELMAkGA1UEBhMCQVUx
...snippage
bHvg4GLGpx/xNRRQju/CGNPV+jAyT0c=
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIFNTCCBB2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpDELMAkGA1UEBhMCQVUx
...snippage
QIfV/vuF8lfd/W8qtzJrIpl2NkTUg8wbXr0St/4fDcnMZRoCuJ7UhnM=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDNBgzYeUOm4MQk
...snippage
mGRs62kyOH2zHtE9XueV9RA=
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
c899ed74ba15a12971094a30155de5a0
...snippage
ce6aea0ceafad49460b073d913900143
-----END OpenVPN Static key V1-----
</tls-crypt>
The net_gateway OpenVPN conf keyword is unsupported on Ubuntu 26.04 LTS / NetworkManager
On Ubuntu 26.04 LTS I couldn't import the above ovpn file as Network Manager doesn't support the net_gateway parameter.
Explicit routes didn't work either
I tried to add explicit routes in to the ovpn file and import it via Network Manager but it added the routes to the wrong device tun0 instead of the Wireless Interface (wlp0s20f3)
# this doesn't work in Ubuntu 26.04 LTS because the routes on my laptop
# were added to the wrong interface tun0 instead of the WiFi interface
route 10.20.81.0 255.255.255.0 10.198.4.1
route 10.81.81.0 255.255.255.0 10.198.4.1
route 192.168.74.0 255.255.255.0 10.198.4.1
A NetworkManager Dispatcher Script Works
So to get everything routed over the tunnel except the above routes required a script which Network Manager would run on the vpn-up event
#!/bin/bash
# /etc/NetworkManager/dispatcher.d/50-openvpn-up.sh
# $1 = interface name (e.g., tun0)
# $2 = action (e.g., vpn-up)
INTERFACE="$1"
ACTION="$2"
# echo $1 $2 >> /tmp/dispatcher.log
if [ "$ACTION" = "vpn-up" ]; then
# Your custom command goes here. For example:
# YOUR_COMMAND_HERE &
ip route add 10.20.81.0/24 via 10.198.4.1
fi
Here are a number of interfaces and actions logged from the above script. Notice how we only react to vpn-up but you could customise the script to do something on many different events:
This sample lists the interface $INTERFACE $ACTION sometime just the $ACTION
tun0 vpn-up
tun0 up
none hostname
connectivity-change
lo up
dns-change
wlp0s20f3 dhcp4-change
wlp0s20f3 up
connectivity-change
lxcbr0 up
connectivity-change
dns-change
wlp0s20f3 dhcp6-change
waydroid0 up
0 Comments