INFO: OpenVPN between TP-LINK TL-WR1043ND (Client) and pfSense 2.0.1 (Server)

gridrun

That's what I was thinking :)

Hmm not sure about how useful such a drop-down box will be. You can always include any directive you want in the custom config section…

robi

How did you manage to reach from behind the pfSense server, the net behind DD-WRT?
It works fine the other way (from client to server), but I can't seem to be able to see the network behind the client from the server side.

I correctly filled in the field named "Remote Network", I even added the route manually, it doesn't work. Doing a packet capture I get

18:55:47.788623 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 0, length 64
18:55:48.799097 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 1, length 64
18:55:49.809135 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 2, length 64
18:55:50.819116 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 3, length 64
18:55:51.829126 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 4, length 64
18:55:52.839152 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 5, length 64
18:55:53.849249 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 6, length 64
18:55:54.859172 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 7, length 64
18:55:55.869187 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 8, length 64

So I guess on pfSense things are fine.

Doing a tcpdump on the tap0 interface on DD-WRT side brings up nothing in the same time, so I can't understand what's happening.

I have these added on DD-WRT client, do I need anything more, to see the client subnet from server side?

iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i br0 -o tun0 -j ACCEPT

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

gridrun

@robi:

How did you manage to reach from behind the pfSense server, the net behind DD-WRT?

I didn't, as I have no need to.

This comes to mind: Can you ping the dd-wrt VPN IP? Have you disabled NAT on the dd-wrt? You don't want to NAT the subnet behind the dd-wrt.

Get rid of this line:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

And set the dd-wrt to operate in Router mode instead of Gateway: That's under Setup|Advanced Networking, IIRC

robi

Indeed I don't want NAT in regards to the tunnel, but I still need NAT there as internet traffic would go locally.

I can ping the DD-WRT leg of the tunnel, if I add this:

iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT

I'll change the mode, and see how things advance.

robi

@gridrun:

And set the dd-wrt to operate in Router mode instead of Gateway: That's under Setup|Advanced Networking, IIRC

If I set dd-wrt to operate in Router mode instead of Gateway, I loose internet connection on LAN clients behind dd-wrt! As it seems router mode disables NAT.  :-[

What I need:

• have the dd-wrt box act as an OpenVPN client
• the network behind dd-wrt have internet access through the local WAN, as usually NATted
• the network behind dd-wrt have access to the network behind pfSense thorugh OpenVPN routed
• network behind pfSense have access to the network behind dd-wrt also routed

Can't seem to make it work.

gridrun

So what you need is NAT for the clients behind the dd-wrt to reach the interwebz, but you dont want NAT on the openvpn tunnel.

Do you still have this line?

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

It masqs everything going out the openvpn tunnel, which is not what you want. You could try replacing the "tun0" with the wan interface.

robi

I deleted that naturally. Still not going.

I'm considering a TAP solution at the moment, it would require simpler routing as the vpn interface on the DD-WRT box would have directly an IP address from pfSense's pool.

radrmr

@robi:

@gridrun:

What I need:

• have the dd-wrt box act as an OpenVPN client
• the network behind dd-wrt have internet access through the local WAN, as usually NATted
• the network behind dd-wrt have access to the network behind pfSense thorugh OpenVPN routed
• network behind pfSense have access to the network behind dd-wrt also routed

Robi, I am looking for this same functionality. did you ever get yours working?  What was the issue?

petermp

@robi:

If I set dd-wrt to operate in Router mode instead of Gateway, I loose internet connection on LAN clients behind dd-wrt! As it seems router mode disables NAT.  :-[

What I need:

• have the dd-wrt box act as an OpenVPN client
• the network behind dd-wrt have internet access through the local WAN, as usually NATted
• the network behind dd-wrt have access to the network behind pfSense thorugh OpenVPN routed
• network behind pfSense have access to the network behind dd-wrt also routed

Can't seem to make it work.
[/quote]

Hi, anyone got this working ? I did pretty much research tried MULTIPE solution and nothing worked ….

I can easily ping network behind pfsense box, but I never managed to get pfsens network to ping  network behind dd-wrt..

Anyone have some howto to share ?

dhatz

It would be most interesting if gridrun would do a followup post about how this particular pfsense/ddwrt OpenVPN setup has worked for him over the past few months in terms of stability and throughput, but apparently he hasn't logged back again in this forum since April …

petermp

Issue is with the DD-wrt NAT, but DD-wrt forum is not the friendliest place on earth :-) So I was wondering if anyone here can give a helping hand with DD-WRT nat….