I hve set up OpenVPN server on an RB450G today, and all seems well. I have multiple networks bridged within the same session, DNS is working and the local network is accessible.

However the default gateway option seems to be broken (ROS v3.28). It seems that an option is being sent to the client; the client notes the following:
So the DNS server and IP address are being sent, and an (invalid!) gateway is being pushed down.

This gateway is pingable, and it seems that PPP is allocating addresses in pairs -- the .76 address is definitely being responded to by the RB.

Initially both addresses appear in the PPP active print, but the .76 disappears after a period of time.

I can manually configure a route to the VPN from the client configuration, but is there any way of pushing the (correct) "default gateway" DHCP option down to the client through PPP in the same way as the DNS is? Seems that it should be straightforward -- if the DNS (and WINS) options can be sent, why is there no similar option for gateway?

Just for clarification:

1) The *actual* default gateway is 10.1.2.1, the same as the DNS.

2) The 10.1.2.76 address is being assigned to the RB as a gateway address to the client. .75 is the client address in this instance (it's taking these from a pool -- the only way I could get OVPN to work was to assign both remote and local addresses to the pool in the PPP profile).

3) This "gateway" is recognised by the client but is not being added as a DHCP default gateway (I think that an actual DHCP option would need to be sent to get a default gateway, and thus a route, onto the client).

I wish to send the client a default gateway, rather than requiring the configuration of a manual route on the client.

Looking into this further it would appear that the "redirect-gateway" option is what is required, but I cannot find this in ROS.

If this were in place I believe that the "route-gateway" would indeed work with redirect to give me what I want.

So, is this option available somewhere, and if so, how do I get to it? If not, do you have any plans to implement it? It surely can be no more than a few extra lines of code!

The alternative is to insert a script into the client configuration inserting 0.0.0.0/1 and 128.0.0.0/1 pointing to 10.1.2.1. This would be fine, except that I wish to have multiple profiles running. These work, but it would mean having a different configuration for each profile (or divide into separate pools with a common gateway and route, rather than bridge, the network -- but that is not secure). Whilst that is reasonable enough, it may not scale too well.

Of course, putting in a default route isn't a huge headache but the fact remains that really the option should be available from the outset, don't you think?

No-one have an answer to this?

The problem is made worse by the fact that, in routing mode, a separate interface is created for each connection.

Great, except that routing to other subnets if the address is assigned from a pool! (No way of statically assigning routes on a Windows PC to a dynamically-assigned interface).

Come on, this is a fundamental issue, there must surely be a way around it?

I have got this to work somewhat like what you are talking about.

This is an example of how I have an openvpn connection routing all of the private IP space through a mikrotik router.
I created an openvpn bridge ovpn-br0 with address of 192.168.5.129
pool of openvpn with addresses 192.168.130-192.168.5.134

/interface ovpn-server server
set auth=sha1,md5 certificate=cert1 cipher=\
blowfish128,aes128,aes192,aes256 default-profile=openvpn enabled=yes \
keepalive-timeout=60 mac-address=00:13:CD:24:6D:CC max-mtu=1500 mode=\
ethernet netmask=29 port=1194 require-client-certificate=no

/ppp profile

add bridge=ovpn-br0 change-tcp-mss=yes comment="" incoming-filter=ovpn-in \
local-address=192.168.5.129 name=openvpn only-one=default remote-address=\
ovpn use-compression=default use-encryption=yes use-vj-compression=\
default


on openvpn client at end of config file

route-method exe
route-delay 2
route 192.168.0.0 255.255.0.0
route 10.0.0.0 255.0.0.0
route 172.16.0.0 255.240.0.0

to route all traffic add the "redirect-gateway" instead of route commands

Thanks very much for the time you have spend in answering this post, it is very much appreciated.

Two interesting points (well, interesting to me anyway!) are that you can specify an address rather than a pool for the local address (makes perfect sense, missed it on the CLI, d'oh), and that the redirect-gateway option can be issued at the client end, which I was unaware of.

If this works the way it looks from the configuration this would seem to answer my query completely, which is brilliant.

Thanks again. Would probably be a good idea to update the Wiki -- unless you want to do it, I'll give it a shot when I've had chance to play.

I have a specific site in mind for this one -- a proper appliance (RB1000 most likely) running OVPN in bridge mode is something we could have done with for a while, and it'll allow me to retire a Linux box we have on-site at the same time.

I have similar issues. The open vpn tunnel is connected i can ping the default gateway 10.248.167.1 and the add default route is checked, however it adds it to the IP>routes but shows up in blue as 0.0.0.0/0 10.248.167.1 and does not work. I need to push all traffic through the openvpn connection.

You have to define route-gateway value in PPP -> Local Address !