PfSense 2.3 OpenVPN peer to peer not passing traffic to LAN
-
I am having a problem with traffic not being passed via OpenVPN Peer to Peer (Shared Key) between pfSense and a client side DD-WRT router. I’ve set up several DD-WRT routers with site-to-site OpenVPN connections via scripting with few issues. While I can get the OpenVPN connection up via both sides with pfSense and DD-WRT, I can’t pass traffic to the pfSense LAN. I clearly see in my pfSense Dashboard that I get connected with the DD-WRT router via the Peer to Peer Server Instance Statistics. So the connection is established, I just can’t ping anything on the LAN side of pfSense.
There is an excellent how to here https://forum.pfsense.org/index.php?topic=56458.0 BUT I’m using the 2.3 version of pfSense and I do not have the option of “Local Network” on my page. I have no doubt if I was running 2.2 I would be done already. Wondering if this is a “bug” or missing feature in 2.3. How would I tell it where and what the local network is?
I have checked the available update changes of 2.3.1 and there is no mention of adding the Local Network option. UPDATE: I've got another pfSense box I could test with. After upgrading to 2.3.1 it also does NOT have the Local Network option. So upgrading is most likely not going to fix the issue.
I am about 99.9% sure my config is correct in DD-WRT with routing. It’s the pfSense side I’m not too sure about. Any help would be greatly appreciated.
-
If the connection is being established and the tunnel is up then the most likely culprit is a routing or firewall issue. If you post both configs we can help you look them over. You should also start with any/any firewall rules on both sides until we can establish basic IP connectivity. Also, disable the software firewall on the endpoints until IP connectivity is established.
As far as the "Local Network" OpenVPN option on PFsense, I'm not sure where you're looking, but it's there…. it's labeled "IPv4 Local network(s)" and under the "Tunnel Settings" section.
-
As far as the "Local Network" OpenVPN option on PFsense, I'm not sure where you're looking, but it's there…. it's labeled "IPv4 Local network(s)" and under the "Tunnel Settings" section.
That's true , unless you use an OpenVPN server type "Peer to Peer (Shared Key)" in which case you lose the "Local Network" fields for both IPv4 and IPv6 (not true in 2.2.5, but in 2.3).
As far as I know that's because the OpenVPN server won't Push Routes in Shared Key mode (also know as Static Key or Pre-Shared Key).For the OP, you'll have to add the required routes to the DD-WRT client(s).
Alternatively you could setup your server with PKI.
Admittedly it's a little more work from the start (not a big deal, really) but I find it much more flexible and powerful especially as you get more clients involved.
Not to mention it's less of a security risk and easier to disable a single compromised client while keeping the others alive.Personally all I ever setup are PKI connections now, particularly since the Certificate Manager in pfSense makes it pretty trivial to create proper certificates.
I've done a few DD-WRT client connections with SSL and they really aren't any tougher than with pfSense clients. -
Marvosa / divsys,
Thanks so much guys for responding. I’ve been slammed with other projects right now and I’m hoping to come back to this later in the week. I’ll try what you have suggested divsys. And thanks for letting me know I’m not crazy or just plain stupid. I was ready to screenshot and post “Look it’s not there”. You saved me a little time on that. Plus, I get to keep a little sanity.
-
And thanks for letting me know I’m not crazy or just plain stupid.
No, that phrase usually best applies to me…... :P
-
Thought it would be a good idea to update this post in case someone else stumbles on this page. Let's start with the bad news, I never got this working with DD-WRT on the client side. Tried countless things to change and test and never got it. >:( I have been beaten. I simply said screw it, built another pfSense box and configured a peer to peer OpenVPN connection as the client. Hey guess what? That worked.
So for anyone else that's trying to get this to work with DD-WRT on the client side, good luck. I'm pretty darn persistent and could never get it working. Your mileage may vary.
-
Just for interests sake, did you set the pfsense boxes up with a shared key or PKI?
-
Shared key.
-
Might be the difference, I gave up on shared key rather early on in my switch from IpCop to pfSense (early 2000's).
As l mentioned, all the site-site connections I've done (including a half-dozen or so DD-WRT) were PKI and worked just fine.
Once you get your head wrapped around what you need for certificates (the Certficate Manager makes it pretty easy) it no big deal.