Openvpn tunnel between openwrt and pfsense
-
Hi,
i have established a tunnel between TP-LINK WR1043ND and a PFsense (2.0.3) VM and it works fine
192.168.4.0/24 <–-> WR1043 <-- 192.168.29.4/30 --> PFsense <-- 10.1.3.0/24 -->
| |
WAN WANall packets from 192.168.4.0/24 to 10.1.3.0/24 go through the tunnel
all packets from 192.68.4.0/24 to internet go to internet via wan interface of WR1043
PFsense is connected to internet
all packets from 10.1.3.0/24 to internet go through pfsense wan interface (natted)openvpn config on WR1043 :
more /etc/openvpn/client.cfg
dev tun0
dev-type tun
writepid /var/run/openvpn_client1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
nobind
remote xxx.xxx.xxx.xxx 1195
ifconfig 192.168.29.6 192.168.29.5
route 10.1.3.0 255.255.255.0
secret /etc/openvpn/client.key
verb 4
status /var/log/openvpn-client.logmore /etc/firewall.user
Allow OpenVPN forwarding
iptables -A forwarding_rule -i tun+ -o br-lan -j ACCEPT
iptables -A forwarding_rule -i br-lan -o tun+ -j ACCEPTiptables -A input_rule -i tun+ -j ACCEPT
iptables -A output_rule -o tun+ -j ACCEPTnetstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 yy.yy.yy.yy 0.0.0.0 UG 0 0 0 eth0.2
yy.yy.yy.yy 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
10.1.3.0 192.168.29.5 255.255.255.0 UG 0 0 0 tun0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.29.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0OPENVPN Server Side (PFsense 2.0.3)
peer to peer (shared key)
protocol UDP
device mode TUN
interface WAN
port 1195
tunnel network : 192.168.29.4/30
local network : 10.1.3.0/24
remote network : 192.168.4.0/24NAT outbound : mode automatic outbound
now my need is to route all traffic through VPN tunnel :
I'd like to force all packets from 192.168.4.0 to go through the tunnel and reach internet via PFsense
In a first time, i chose to limit the destination subnets. For example to reach aaa.aaa.aaa.aaa i added in client.cfg :
route aaa.aaa.aaa.aaa 255.255.255.0i can ping aaa.aaa.aaa.aaa from WR1043 (logged SSH)
but i can't ping from inside lan subnet 192.168.4.0i don't konw where is the issue : pfsense nat ? openvpn config ? iptables config on openwrt ?
could someone help me to resolve my problem ?
Thanks a lot
Claude
-
edit /etc/openvpn/client.cfg (should it be /etc/config/openvpn ?)
anyway..
add line 'redirect-gateway def1'
it cant be added via luci -> use cli
restart openvpn service.. or rebootbr.
.kHi,
i have established a tunnel between TP-LINK WR1043ND and a PFsense (2.0.3) VM and it works fine
192.168.4.0/24 <–-> WR1043 <-- 192.168.29.4/30 --> PFsense <-- 10.1.3.0/24 -->
| |
WAN WANall packets from 192.168.4.0/24 to 10.1.3.0/24 go through the tunnel
all packets from 192.68.4.0/24 to internet go to internet via wan interface of WR1043
PFsense is connected to internet
all packets from 10.1.3.0/24 to internet go through pfsense wan interface (natted)openvpn config on WR1043 :
more /etc/openvpn/client.cfg
dev tun0
dev-type tun
writepid /var/run/openvpn_client1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
nobind
remote xxx.xxx.xxx.xxx 1195
ifconfig 192.168.29.6 192.168.29.5
route 10.1.3.0 255.255.255.0
secret /etc/openvpn/client.key
verb 4
status /var/log/openvpn-client.logmore /etc/firewall.user
Allow OpenVPN forwarding
iptables -A forwarding_rule -i tun+ -o br-lan -j ACCEPT
iptables -A forwarding_rule -i br-lan -o tun+ -j ACCEPTiptables -A input_rule -i tun+ -j ACCEPT
iptables -A output_rule -o tun+ -j ACCEPTnetstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 yy.yy.yy.yy 0.0.0.0 UG 0 0 0 eth0.2
yy.yy.yy.yy 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
10.1.3.0 192.168.29.5 255.255.255.0 UG 0 0 0 tun0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.29.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0OPENVPN Server Side (PFsense 2.0.3)
peer to peer (shared key)
protocol UDP
device mode TUN
interface WAN
port 1195
tunnel network : 192.168.29.4/30
local network : 10.1.3.0/24
remote network : 192.168.4.0/24NAT outbound : mode automatic outbound
now my need is to route all traffic through VPN tunnel :
I'd like to force all packets from 192.168.4.0 to go through the tunnel and reach internet via PFsense
In a first time, i chose to limit the destination subnets. For example to reach aaa.aaa.aaa.aaa i added in client.cfg :
route aaa.aaa.aaa.aaa 255.255.255.0i can ping aaa.aaa.aaa.aaa from WR1043 (logged SSH)
but i can't ping from inside lan subnet 192.168.4.0i don't konw where is the issue : pfsense nat ? openvpn config ? iptables config on openwrt ?
could someone help me to resolve my problem ?
Thanks a lot
Claude
-
Thanks for your help,
it modified client side /etc/openvpn/client.cfg and reboot
now from my openwrt router i can ping and all is reacheable
but from my laptop it doesn't work. Routes are OK but i can't ping tunnel network address 192.168.29.5 (server side)routes on tp-link :
Beforenetstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.0.44.252 0.0.0.0 UG 0 0 0 eth0.2
10.0.44.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
10.1.3.0 192.168.29.5 255.255.255.0 UG 0 0 0 tun0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.29.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0After
netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.29.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 10.0.44.252 0.0.0.0 UG 0 0 0 eth0.2
10.0.44.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
XX.XX.XX.XX 10.0.44.252 255.255.255.255 UGH 0 0 0 eth0.2
128.0.0.0 192.168.29.5 128.0.0.0 UG 0 0 0 tun0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.29.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 -
it's solved
the problem came from the nat rules on the pfsense server
i had to enable manual nat and add a mapping between the remote LAN and the natted IP (PFsense wan interface)
hope it helps
now time to quit and go to the pub (in France)
-
Hi, good to hear you get it working… i was struggling on same thing couple month ago....
-
I think your problem was in routes (if openwrt didnt route your request back from pfsense when pinging behind openwrt to pfsense)
-
did you set remote lan 192.168.4/24 (openvpn settings "route 192.168.4/24") (what pfsense routing table shows ? does it know 192.168.4/24 network ?
-
did you use peer-to-peer or remote access ?
-
Set pfsense "Manual outbound nat" -> wan interface NAT all outbound traffic its public interface ip. (thats the way i allways do it, 1 NAT in network everything else is fully routed between routers..)
-
Make sure DNS request goes also to tunnel (dns queries coming from openwrt / openwrt connected networks(lan)..
-
If you use own dns resolver(at endpoint pfsense) you need to set openwrt to allow dns queries coming from private network(from pfsense).
br.
.kit's solved
the problem came from the nat rules on the pfsense server
i had to enable manual nat and add a mapping between the remote LAN and the natted IP (PFsense wan interface)
hope it helps
now time to quit and go to the pub (in France)
-