INFO: OpenVPN between TP-LINK TL-WR1043ND (Client) and pfSense 2.0.1 (Server)

robi

How did you manage to reach from behind the pfSense server, the net behind DD-WRT?
It works fine the other way (from client to server), but I can't seem to be able to see the network behind the client from the server side.

I correctly filled in the field named "Remote Network", I even added the route manually, it doesn't work. Doing a packet capture I get

18:55:47.788623 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 0, length 64
18:55:48.799097 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 1, length 64
18:55:49.809135 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 2, length 64
18:55:50.819116 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 3, length 64
18:55:51.829126 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 4, length 64
18:55:52.839152 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 5, length 64
18:55:53.849249 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 6, length 64
18:55:54.859172 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 7, length 64
18:55:55.869187 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 8, length 64

So I guess on pfSense things are fine.

Doing a tcpdump on the tap0 interface on DD-WRT side brings up nothing in the same time, so I can't understand what's happening.

I have these added on DD-WRT client, do I need anything more, to see the client subnet from server side?

iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i br0 -o tun0 -j ACCEPT

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

gridrun

@robi:

How did you manage to reach from behind the pfSense server, the net behind DD-WRT?

I didn't, as I have no need to.

This comes to mind: Can you ping the dd-wrt VPN IP? Have you disabled NAT on the dd-wrt? You don't want to NAT the subnet behind the dd-wrt.

Get rid of this line:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

And set the dd-wrt to operate in Router mode instead of Gateway: That's under Setup|Advanced Networking, IIRC

robi

Indeed I don't want NAT in regards to the tunnel, but I still need NAT there as internet traffic would go locally.

I can ping the DD-WRT leg of the tunnel, if I add this:

iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT

I'll change the mode, and see how things advance.

robi

@gridrun:

And set the dd-wrt to operate in Router mode instead of Gateway: That's under Setup|Advanced Networking, IIRC

If I set dd-wrt to operate in Router mode instead of Gateway, I loose internet connection on LAN clients behind dd-wrt! As it seems router mode disables NAT.  :-[

What I need:

• have the dd-wrt box act as an OpenVPN client
• the network behind dd-wrt have internet access through the local WAN, as usually NATted
• the network behind dd-wrt have access to the network behind pfSense thorugh OpenVPN routed
• network behind pfSense have access to the network behind dd-wrt also routed

Can't seem to make it work.

gridrun

So what you need is NAT for the clients behind the dd-wrt to reach the interwebz, but you dont want NAT on the openvpn tunnel.

Do you still have this line?

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

It masqs everything going out the openvpn tunnel, which is not what you want. You could try replacing the "tun0" with the wan interface.

robi

I deleted that naturally. Still not going.

I'm considering a TAP solution at the moment, it would require simpler routing as the vpn interface on the DD-WRT box would have directly an IP address from pfSense's pool.

radrmr

@robi:

@gridrun:

What I need:

• have the dd-wrt box act as an OpenVPN client
• the network behind dd-wrt have internet access through the local WAN, as usually NATted
• the network behind dd-wrt have access to the network behind pfSense thorugh OpenVPN routed
• network behind pfSense have access to the network behind dd-wrt also routed

Robi, I am looking for this same functionality. did you ever get yours working?  What was the issue?

petermp

@robi:

If I set dd-wrt to operate in Router mode instead of Gateway, I loose internet connection on LAN clients behind dd-wrt! As it seems router mode disables NAT.  :-[

What I need:

• have the dd-wrt box act as an OpenVPN client
• the network behind dd-wrt have internet access through the local WAN, as usually NATted
• the network behind dd-wrt have access to the network behind pfSense thorugh OpenVPN routed
• network behind pfSense have access to the network behind dd-wrt also routed

Can't seem to make it work.
[/quote]

Hi, anyone got this working ? I did pretty much research tried MULTIPE solution and nothing worked ….

I can easily ping network behind pfsense box, but I never managed to get pfsens network to ping  network behind dd-wrt..

Anyone have some howto to share ?

dhatz

It would be most interesting if gridrun would do a followup post about how this particular pfsense/ddwrt OpenVPN setup has worked for him over the past few months in terms of stability and throughput, but apparently he hasn't logged back again in this forum since April …

petermp

Issue is with the DD-wrt NAT, but DD-wrt forum is not the friendliest place on earth :-) So I was wondering if anyone here can give a helping hand with DD-WRT nat….