Description
With DCO, --iroute routes need to be installed in the system routing table.
Without DCO, --iroute only works if there is a --route that is at least as big or bigger (shorter prefix) to make the traffic "go into the openvpn server", so many configs have an identical-sized --route in the .conf and --iroute in the ccd/ file ("192.168.7.0 255.255.255.0").
This will not work with DCO on FreeBSD (because you can not have 2 /24 routes in the routing table, and there is no preference mechanism to disambiguate) and it seems it also does not work on Windows (to be confirmed).
What will work is to split up the --iroute like this:
--route 192.168.7.0 255.255.255.0
--iroute 192.168.7.0 255.255.255.128
--iroute 192.168.7.128 255.255.255.128
(-> the system routing table will have 3 routes then, and the 2 "more specific" ones will win)
Suggestion: on affected platforms add code to check the --route table on --iroute parsing, if there is an identical match. If yes, issue a WARNING. If possible, we could also split the --iroute into 2x half sized iroutes - or we just suggest doing so in the WARNING message.