INFO: OpenVPN between TP-LINK TL-WR1043ND (Client) and pfSense 2.0.1 (Server)
-
Apparently, the issue was resolved in DD-WRT. A patch has been committed by Sash!
So once Brainslayer rebuilds the WR1043ND image, you'll be able to link its VPN client to pfSense without any sed hacks! :DTo support the SYS and QSS-for-openVPN led functionality, you'll however still need something along the lines. My request for up/down script fields in the GUI got squashed :P
-
Thanks for your followups on this issue, it might save someone else lots of time !
BTW would there be any benefit having pfsense offer a similar drop-down menu for configuring comp-lzo ? (i.e. disabled, yes, no, adaptive)
-
That's what I was thinking :)
Hmm not sure about how useful such a drop-down box will be. You can always include any directive you want in the custom config section…
-
How did you manage to reach from behind the pfSense server, the net behind DD-WRT?
It works fine the other way (from client to server), but I can't seem to be able to see the network behind the client from the server side.I correctly filled in the field named "Remote Network", I even added the route manually, it doesn't work. Doing a packet capture I get
18:55:47.788623 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 0, length 64 18:55:48.799097 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 1, length 64 18:55:49.809135 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 2, length 64 18:55:50.819116 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 3, length 64 18:55:51.829126 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 4, length 64 18:55:52.839152 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 5, length 64 18:55:53.849249 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 6, length 64 18:55:54.859172 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 7, length 64 18:55:55.869187 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 8, length 64So I guess on pfSense things are fine.
Doing a tcpdump on the tap0 interface on DD-WRT side brings up nothing in the same time, so I can't understand what's happening.
I have these added on DD-WRT client, do I need anything more, to see the client subnet from server side?
iptables -A FORWARD -i tun0 -j ACCEPT iptables -A FORWARD -i br0 -o tun0 -j ACCEPT iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE -
How did you manage to reach from behind the pfSense server, the net behind DD-WRT?
I didn't, as I have no need to.
This comes to mind: Can you ping the dd-wrt VPN IP? Have you disabled NAT on the dd-wrt? You don't want to NAT the subnet behind the dd-wrt.
Get rid of this line:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADEAnd set the dd-wrt to operate in Router mode instead of Gateway: That's under Setup|Advanced Networking, IIRC
-
Indeed I don't want NAT in regards to the tunnel, but I still need NAT there as internet traffic would go locally.
I can ping the DD-WRT leg of the tunnel, if I add this:
iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPTI'll change the mode, and see how things advance.
-
And set the dd-wrt to operate in Router mode instead of Gateway: That's under Setup|Advanced Networking, IIRC
If I set dd-wrt to operate in Router mode instead of Gateway, I loose internet connection on LAN clients behind dd-wrt! As it seems router mode disables NAT. :-[
What I need:
- have the dd-wrt box act as an OpenVPN client
- the network behind dd-wrt have internet access through the local WAN, as usually NATted
- the network behind dd-wrt have access to the network behind pfSense thorugh OpenVPN routed
- network behind pfSense have access to the network behind dd-wrt also routed
Can't seem to make it work.
-
So what you need is NAT for the clients behind the dd-wrt to reach the interwebz, but you dont want NAT on the openvpn tunnel.
Do you still have this line?
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADEIt masqs everything going out the openvpn tunnel, which is not what you want. You could try replacing the "tun0" with the wan interface.
-
I deleted that naturally. Still not going.
I'm considering a TAP solution at the moment, it would require simpler routing as the vpn interface on the DD-WRT box would have directly an IP address from pfSense's pool.
-
What I need:
- have the dd-wrt box act as an OpenVPN client
- the network behind dd-wrt have internet access through the local WAN, as usually NATted
- the network behind dd-wrt have access to the network behind pfSense thorugh OpenVPN routed
- network behind pfSense have access to the network behind dd-wrt also routed
Robi, I am looking for this same functionality. did you ever get yours working? What was the issue?
-
If I set dd-wrt to operate in Router mode instead of Gateway, I loose internet connection on LAN clients behind dd-wrt! As it seems router mode disables NAT. :-[
What I need:
- have the dd-wrt box act as an OpenVPN client
- the network behind dd-wrt have internet access through the local WAN, as usually NATted
- the network behind dd-wrt have access to the network behind pfSense thorugh OpenVPN routed
- network behind pfSense have access to the network behind dd-wrt also routed
Can't seem to make it work.
[/quote]Hi, anyone got this working ? I did pretty much research tried MULTIPE solution and nothing worked ….
I can easily ping network behind pfsense box, but I never managed to get pfsens network to ping network behind dd-wrt..
Anyone have some howto to share ?
-
It would be most interesting if gridrun would do a followup post about how this particular pfsense/ddwrt OpenVPN setup has worked for him over the past few months in terms of stability and throughput, but apparently he hasn't logged back again in this forum since April …
-
Issue is with the DD-wrt NAT, but DD-wrt forum is not the friendliest place on earth :-) So I was wondering if anyone here can give a helping hand with DD-WRT nat….
