• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Openvpn tunnel between openwrt and pfsense

Scheduled Pinned Locked Moved OpenVPN
5 Posts 2 Posters 9.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C Offline
    cgu29
    last edited by May 2, 2013, 2:09 PM

    Hi,

    i have established a tunnel between TP-LINK WR1043ND and a PFsense (2.0.3) VM and it works fine

    192.168.4.0/24 <–-> WR1043 <-- 192.168.29.4/30 --> PFsense <-- 10.1.3.0/24 -->
                                        |                                            |
                                      WAN                                      WAN

    all packets from 192.168.4.0/24 to 10.1.3.0/24 go through the tunnel
    all packets from 192.68.4.0/24 to internet go to internet via wan interface of WR1043
    PFsense is connected to internet
    all packets from 10.1.3.0/24 to internet go through pfsense wan interface (natted)

    openvpn config on WR1043 :

    more /etc/openvpn/client.cfg

    dev tun0
    dev-type tun
    writepid /var/run/openvpn_client1.pid
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    nobind
    remote xxx.xxx.xxx.xxx 1195
    ifconfig 192.168.29.6 192.168.29.5
    route 10.1.3.0 255.255.255.0
    secret /etc/openvpn/client.key
    verb 4
    status /var/log/openvpn-client.log

    more /etc/firewall.user

    Allow OpenVPN forwarding

    iptables -A forwarding_rule -i tun+ -o br-lan -j ACCEPT
    iptables -A forwarding_rule -i br-lan -o tun+ -j ACCEPT

    iptables -A input_rule -i tun+ -j ACCEPT
    iptables -A output_rule -o tun+ -j ACCEPT

    netstat -rn

    Kernel IP routing table
    Destination    Gateway        Genmask        Flags  MSS Window  irtt Iface
    0.0.0.0        yy.yy.yy.yy    0.0.0.0        UG        0 0          0 eth0.2
    yy.yy.yy.yy    0.0.0.0        255.255.255.0  U        0 0          0 eth0.2
    10.1.3.0        192.168.29.5    255.255.255.0  UG        0 0          0 tun0
    192.168.4.0    0.0.0.0        255.255.255.0  U        0 0          0 br-lan
    192.168.29.5    0.0.0.0        255.255.255.255 UH        0 0          0 tun0

    OPENVPN Server Side (PFsense 2.0.3)

    peer to peer (shared key)
    protocol UDP
    device mode TUN
    interface WAN
    port 1195
    tunnel network : 192.168.29.4/30
    local network : 10.1.3.0/24
    remote network : 192.168.4.0/24

    NAT outbound : mode automatic outbound

    now my need is to route all traffic through VPN tunnel :

    I'd like to force all packets from 192.168.4.0 to go through the tunnel and reach internet via PFsense
    In a first time, i chose to limit the destination subnets. For example to reach aaa.aaa.aaa.aaa i added in client.cfg :
    route aaa.aaa.aaa.aaa 255.255.255.0

    i can ping aaa.aaa.aaa.aaa from WR1043 (logged SSH)
    but i can't ping from inside lan subnet 192.168.4.0

    i don't konw where is the issue : pfsense nat ? openvpn config ? iptables config on openwrt ?

    could someone help me to resolve my problem ?

    Thanks a lot

    Claude

    1 Reply Last reply Reply Quote 0
    • K Offline
      keysers0ze
      last edited by May 16, 2013, 3:40 PM

      edit /etc/openvpn/client.cfg (should it be /etc/config/openvpn ?)

      anyway..

      add line 'redirect-gateway def1'

      it cant be added via luci -> use cli
      restart openvpn service.. or reboot

      br.
      .k

      @cgu29:

      Hi,

      i have established a tunnel between TP-LINK WR1043ND and a PFsense (2.0.3) VM and it works fine

      192.168.4.0/24 <–-> WR1043 <-- 192.168.29.4/30 --> PFsense <-- 10.1.3.0/24 -->
                                          |                                            |
                                        WAN                                       WAN

      all packets from 192.168.4.0/24 to 10.1.3.0/24 go through the tunnel
      all packets from 192.68.4.0/24 to internet go to internet via wan interface of WR1043
      PFsense is connected to internet
      all packets from 10.1.3.0/24 to internet go through pfsense wan interface (natted)

      openvpn config on WR1043 :

      more /etc/openvpn/client.cfg

      dev tun0
      dev-type tun
      writepid /var/run/openvpn_client1.pid
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-128-CBC
      nobind
      remote xxx.xxx.xxx.xxx 1195
      ifconfig 192.168.29.6 192.168.29.5
      route 10.1.3.0 255.255.255.0
      secret /etc/openvpn/client.key
      verb 4
      status /var/log/openvpn-client.log

      more /etc/firewall.user

      Allow OpenVPN forwarding

      iptables -A forwarding_rule -i tun+ -o br-lan -j ACCEPT
      iptables -A forwarding_rule -i br-lan -o tun+ -j ACCEPT

      iptables -A input_rule -i tun+ -j ACCEPT
      iptables -A output_rule -o tun+ -j ACCEPT

      netstat -rn

      Kernel IP routing table
      Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
      0.0.0.0         yy.yy.yy.yy     0.0.0.0         UG        0 0          0 eth0.2
      yy.yy.yy.yy     0.0.0.0         255.255.255.0   U         0 0          0 eth0.2
      10.1.3.0        192.168.29.5    255.255.255.0   UG        0 0          0 tun0
      192.168.4.0     0.0.0.0         255.255.255.0   U         0 0          0 br-lan
      192.168.29.5    0.0.0.0         255.255.255.255 UH        0 0          0 tun0

      OPENVPN Server Side (PFsense 2.0.3)

      peer to peer (shared key)
      protocol UDP
      device mode TUN
      interface WAN
      port 1195
      tunnel network : 192.168.29.4/30
      local network : 10.1.3.0/24
      remote network : 192.168.4.0/24

      NAT outbound : mode automatic outbound

      now my need is to route all traffic through VPN tunnel :

      I'd like to force all packets from 192.168.4.0 to go through the tunnel and reach internet via PFsense
      In a first time, i chose to limit the destination subnets. For example to reach aaa.aaa.aaa.aaa i added in client.cfg :
      route aaa.aaa.aaa.aaa 255.255.255.0

      i can ping aaa.aaa.aaa.aaa from WR1043 (logged SSH)
      but i can't ping from inside lan subnet 192.168.4.0

      i don't konw where is the issue : pfsense nat ? openvpn config ? iptables config on openwrt ?

      could someone help me to resolve my problem ?

      Thanks a lot

      Claude

      1 Reply Last reply Reply Quote 0
      • C Offline
        cgu29
        last edited by May 17, 2013, 12:42 PM

        Thanks for your help,

        it modified client side /etc/openvpn/client.cfg and reboot
        now from my openwrt router i can ping and all is reacheable
        but from my laptop it doesn't work. Routes are OK but i can't ping tunnel network address 192.168.29.5 (server side)

        routes on tp-link :
        Before

        netstat -rn

        Kernel IP routing table
        Destination    Gateway        Genmask        Flags  MSS Window  irtt Iface
        0.0.0.0        10.0.44.252    0.0.0.0        UG        0 0          0 eth0.2
        10.0.44.0      0.0.0.0        255.255.255.0  U        0 0          0 eth0.2
        10.1.3.0        192.168.29.5    255.255.255.0  UG        0 0          0 tun0
        192.168.4.0    0.0.0.0        255.255.255.0  U        0 0          0 br-lan
        192.168.29.5    0.0.0.0        255.255.255.255 UH        0 0          0 tun0

        After

        netstat -rn

        Kernel IP routing table
        Destination    Gateway        Genmask        Flags  MSS Window  irtt Iface
        0.0.0.0        192.168.29.5    128.0.0.0      UG        0 0          0 tun0
        0.0.0.0        10.0.44.252    0.0.0.0        UG        0 0          0 eth0.2
        10.0.44.0      0.0.0.0        255.255.255.0  U        0 0          0 eth0.2
        XX.XX.XX.XX    10.0.44.252    255.255.255.255 UGH      0 0          0 eth0.2
        128.0.0.0      192.168.29.5    128.0.0.0      UG        0 0          0 tun0
        192.168.4.0    0.0.0.0        255.255.255.0  U        0 0          0 br-lan
        192.168.29.5    0.0.0.0        255.255.255.255 UH        0 0          0 tun0

        1 Reply Last reply Reply Quote 0
        • C Offline
          cgu29
          last edited by May 17, 2013, 3:43 PM

          it's solved

          the problem came from the nat rules on the pfsense server

          i had to enable manual nat and add a mapping between the remote LAN and the natted IP (PFsense wan interface)

          hope it helps

          now time to quit and go to the pub (in France)

          1 Reply Last reply Reply Quote 0
          • K Offline
            keysers0ze
            last edited by May 18, 2013, 7:23 AM

            Hi, good to hear you get it working… i was struggling on same thing couple month ago....

            • I think your problem was in routes (if openwrt didnt route your request back from pfsense when pinging behind openwrt to pfsense)

            • did you set remote lan 192.168.4/24 (openvpn settings "route 192.168.4/24") (what pfsense routing table shows ? does it know 192.168.4/24 network ?

            • did you use peer-to-peer or remote access ?

            • Set pfsense "Manual outbound nat" -> wan interface NAT all outbound traffic its public interface ip. (thats the way i allways do it, 1 NAT in network everything else is fully routed between routers..)

            • Make sure DNS request goes also to tunnel (dns queries coming from openwrt / openwrt connected networks(lan)..

            • If you use own dns resolver(at endpoint pfsense) you need to set openwrt to allow dns queries coming from private network(from pfsense).

            br.
            .k

            @cgu29:

            it's solved

            the problem came from the nat rules on the pfsense server

            i had to enable manual nat and add a mapping between the remote LAN and the natted IP (PFsense wan interface)

            hope it helps

            now time to quit and go to the pub (in France)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received