Openvpn tunnel between openwrt and pfsense

cgu29 · May 2, 2013, 2:09 PM

Hi,

i have established a tunnel between TP-LINK WR1043ND and a PFsense (2.0.3) VM and it works fine

192.168.4.0/24 <–-> WR1043 <-- 192.168.29.4/30 --> PFsense <-- 10.1.3.0/24 -->
| |
WAN WAN

all packets from 192.168.4.0/24 to 10.1.3.0/24 go through the tunnel
all packets from 192.68.4.0/24 to internet go to internet via wan interface of WR1043
PFsense is connected to internet
all packets from 10.1.3.0/24 to internet go through pfsense wan interface (natted)

openvpn config on WR1043 :

more /etc/openvpn/client.cfg

dev tun0
dev-type tun
writepid /var/run/openvpn_client1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
nobind
remote xxx.xxx.xxx.xxx 1195
ifconfig 192.168.29.6 192.168.29.5
route 10.1.3.0 255.255.255.0
secret /etc/openvpn/client.key
verb 4
status /var/log/openvpn-client.log

more /etc/firewall.user

Allow OpenVPN forwarding

iptables -A forwarding_rule -i tun+ -o br-lan -j ACCEPT
iptables -A forwarding_rule -i br-lan -o tun+ -j ACCEPT

iptables -A input_rule -i tun+ -j ACCEPT
iptables -A output_rule -o tun+ -j ACCEPT

netstat -rn

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 yy.yy.yy.yy 0.0.0.0 UG 0 0 0 eth0.2
yy.yy.yy.yy 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
10.1.3.0 192.168.29.5 255.255.255.0 UG 0 0 0 tun0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.29.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0

OPENVPN Server Side (PFsense 2.0.3)

peer to peer (shared key)
protocol UDP
device mode TUN
interface WAN
port 1195
tunnel network : 192.168.29.4/30
local network : 10.1.3.0/24
remote network : 192.168.4.0/24

NAT outbound : mode automatic outbound

now my need is to route all traffic through VPN tunnel :

I'd like to force all packets from 192.168.4.0 to go through the tunnel and reach internet via PFsense
In a first time, i chose to limit the destination subnets. For example to reach aaa.aaa.aaa.aaa i added in client.cfg :
route aaa.aaa.aaa.aaa 255.255.255.0

i can ping aaa.aaa.aaa.aaa from WR1043 (logged SSH)
but i can't ping from inside lan subnet 192.168.4.0

i don't konw where is the issue : pfsense nat ? openvpn config ? iptables config on openwrt ?

could someone help me to resolve my problem ?

Thanks a lot

Claude

keysers0ze · May 16, 2013, 3:40 PM

edit /etc/openvpn/client.cfg (should it be /etc/config/openvpn ?)

anyway..

add line 'redirect-gateway def1'

it cant be added via luci -> use cli
restart openvpn service.. or reboot

br.
.k

@cgu29:

Hi,

i have established a tunnel between TP-LINK WR1043ND and a PFsense (2.0.3) VM and it works fine

192.168.4.0/24 <–-> WR1043 <-- 192.168.29.4/30 --> PFsense <-- 10.1.3.0/24 -->
| |
WAN WAN

all packets from 192.168.4.0/24 to 10.1.3.0/24 go through the tunnel
all packets from 192.68.4.0/24 to internet go to internet via wan interface of WR1043
PFsense is connected to internet
all packets from 10.1.3.0/24 to internet go through pfsense wan interface (natted)

openvpn config on WR1043 :

more /etc/openvpn/client.cfg

dev tun0
dev-type tun
writepid /var/run/openvpn_client1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
nobind
remote xxx.xxx.xxx.xxx 1195
ifconfig 192.168.29.6 192.168.29.5
route 10.1.3.0 255.255.255.0
secret /etc/openvpn/client.key
verb 4
status /var/log/openvpn-client.log

more /etc/firewall.user

Allow OpenVPN forwarding

iptables -A forwarding_rule -i tun+ -o br-lan -j ACCEPT
iptables -A forwarding_rule -i br-lan -o tun+ -j ACCEPT

iptables -A input_rule -i tun+ -j ACCEPT
iptables -A output_rule -o tun+ -j ACCEPT

netstat -rn

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 yy.yy.yy.yy 0.0.0.0 UG 0 0 0 eth0.2
yy.yy.yy.yy 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
10.1.3.0 192.168.29.5 255.255.255.0 UG 0 0 0 tun0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.29.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0

OPENVPN Server Side (PFsense 2.0.3)

peer to peer (shared key)
protocol UDP
device mode TUN
interface WAN
port 1195
tunnel network : 192.168.29.4/30
local network : 10.1.3.0/24
remote network : 192.168.4.0/24

NAT outbound : mode automatic outbound

now my need is to route all traffic through VPN tunnel :

I'd like to force all packets from 192.168.4.0 to go through the tunnel and reach internet via PFsense
In a first time, i chose to limit the destination subnets. For example to reach aaa.aaa.aaa.aaa i added in client.cfg :
route aaa.aaa.aaa.aaa 255.255.255.0

i can ping aaa.aaa.aaa.aaa from WR1043 (logged SSH)
but i can't ping from inside lan subnet 192.168.4.0

i don't konw where is the issue : pfsense nat ? openvpn config ? iptables config on openwrt ?

could someone help me to resolve my problem ?

Thanks a lot

Claude

cgu29 · May 17, 2013, 12:42 PM

Thanks for your help,

it modified client side /etc/openvpn/client.cfg and reboot
now from my openwrt router i can ping and all is reacheable
but from my laptop it doesn't work. Routes are OK but i can't ping tunnel network address 192.168.29.5 (server side)

routes on tp-link :
Before

netstat -rn

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.0.44.252 0.0.0.0 UG 0 0 0 eth0.2
10.0.44.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
10.1.3.0 192.168.29.5 255.255.255.0 UG 0 0 0 tun0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.29.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0

After

netstat -rn

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.29.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 10.0.44.252 0.0.0.0 UG 0 0 0 eth0.2
10.0.44.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
XX.XX.XX.XX 10.0.44.252 255.255.255.255 UGH 0 0 0 eth0.2
128.0.0.0 192.168.29.5 128.0.0.0 UG 0 0 0 tun0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.29.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0

cgu29 · May 17, 2013, 3:43 PM

it's solved

the problem came from the nat rules on the pfsense server

i had to enable manual nat and add a mapping between the remote LAN and the natted IP (PFsense wan interface)

hope it helps

now time to quit and go to the pub (in France)

keysers0ze · May 18, 2013, 7:23 AM

Hi, good to hear you get it working… i was struggling on same thing couple month ago....

I think your problem was in routes (if openwrt didnt route your request back from pfsense when pinging behind openwrt to pfsense)
did you set remote lan 192.168.4/24 (openvpn settings "route 192.168.4/24") (what pfsense routing table shows ? does it know 192.168.4/24 network ?
did you use peer-to-peer or remote access ?
Set pfsense "Manual outbound nat" -> wan interface NAT all outbound traffic its public interface ip. (thats the way i allways do it, 1 NAT in network everything else is fully routed between routers..)
Make sure DNS request goes also to tunnel (dns queries coming from openwrt / openwrt connected networks(lan)..
If you use own dns resolver(at endpoint pfsense) you need to set openwrt to allow dns queries coming from private network(from pfsense).

br.
.k

@cgu29:

it's solved

the problem came from the nat rules on the pfsense server

i had to enable manual nat and add a mapping between the remote LAN and the natted IP (PFsense wan interface)

hope it helps

now time to quit and go to the pub (in France)