Site to Site with DD-WRT (SOLVED)

killmasta93

UPDATE:
So I fixed finally the issue with the cert and now shows connected on both sides only issue that i cannot ping each other ex: pfSense is 192.168.3.254 should be able to ping DDWRT 192.168.1.251 or if any clients on the LAN of pfSense should be able to ping also 192.168.1.251

and the cert i configured like this:

the CA on pfSense which was DDWRT was placed on CA

Then created a client cert on pfSense and used the key and CA to place on DDWRT the Public Client Cert and the Private Client Key, after that on pfSense i needed to create a user and give that user the client cert also disabled TLS key

Clipboarder.2017.03.20-015.png

Clipboarder.2017.03.20-016.png

killmasta93

UPDATE 2:

So i feel like im almost there, as the issue of the ping was that i needed to check the Redirect Gateway on pfSense OpenVPN now DDWRT can ping pfSense but pfSense cannot ping DDWRT

Clipboarder.2017.03.20-020.png

Clipboarder.2017.03.20-021.png

killmasta93

I guess the real question is " does anyone know how can i route the OpenVPN server to also ping DDWRT" i tried using routing tables but have had no luck :(

viragomann

You've set up a remote access server on pfSense, not a site-to-site.
??

killmasta93

im pretty sure its a site to site as everything shows connected i just cant understand why pfSense cannot contact DDWRT if there both connected

viragomann

Yeah, your upper screenshot of pfSense VPN server shows a remote access server, the lower one shows a site-to-site.

Is the DDWRT the default gateway in its LAN?

killmasta93

Thanks for the reply, yeah the upper one was a messed up, the second one is correct, when you say is the DDWRT the default gateway do you mean create a rule
or the default gateway of which the it gets from the OpenVPN? which it gets a 192.168.90.6
or the the gateway of the DDWRT which is 192.168.1.251

Thank you

viragomann

I asked if the DDWRT is the default gateway in the network behind (192.168.1.0/24).

killmasta93

yes the DDWRT is the default gateway for the network 192.168.1.0/24

viragomann

It seems that pfSense doesn't find the correct route to the network behind DDWRT.

Are you running multiple VPN instances on pfSense, both server and client?

Please post the IPv4 routing table from pfSense.

killmasta93

Thank you for the reply,
as I am also running other OpenVPN servers but there are only remote for clients

See picture for the routing

Thank you

Clipboarder.2017.03.22-013.png
Clipboarder.2017.03.22-012.png_thumb

Clipboarder.2017.03.22-010.png

Clipboarder.2017.03.22-011.png

viragomann

As mentioned, it doesn't matter which kind of OpenVPN instances, if you run multiple and you haven't assigned separate interfaces to them all are handled as an unique interface group.

So for correct routing you have to assign an interface to the site-to-site server. Interface > assign
At available network ports select the site-to-site server and click Add, open the new interface and enable it, also enter a proper description and save it.

killmasta93

Thanks for the reply so something like this? Assuming on DDWRT when it shows connected to remote address it must be the gateway? Would i also delete the Rule on openVPN for

IPv4 * 192.168.90.0/24 * * * * none

Thank you see pictures

Clipboarder.2017.03.22-016.png

Clipboarder.2017.03.22-017.png

Clipboarder.2017.03.22-018.png

Clipboarder.2017.03.22-019.png

viragomann

Yes, but don't set an IP address on the interface, just enable it. IP has to be set to "None"!

killmasta93

Thanks for the reply So configured to none but still nothing :(

Thank you

Clipboarder.2017.03.22-020.png

viragomann

Have you tried to reboot pfSense?

If it still doesn't work after reboot make a packet capture on the SitetoSite interface and select ICMP protocol while you try a ping to the DDWRT. Maybe there is something wrong with the NAT.
Post the capture output, please.

killmasta93

Thanks for the reply

here is the packet capture

from the packet capture only showed these lines

20:12:56.238295 IP 192.168.90.1 > 192.168.1.251: ICMP echo request, id 4676, seq 0, length 64
20:12:57.253548 IP 192.168.90.1 > 192.168.1.251: ICMP echo request, id 4676, seq 1, length 64
20:12:58.256451 IP 192.168.90.1 > 192.168.1.251: ICMP echo request, id 4676, seq 2, length 64

packet capture

http://www.filedropper.com/openvpn

Thank you again

viragomann

So you get no responses from DDWRT, though the pings come from the VPN server which is connected directly to the DDWRTs interface.
I think DDWRT blocks the access. Check its firewall rules.

Derelict

This is not a DDWRT forum.

killmasta93

Thanks for the reply,

@derelict, your correct but as i posted on the DDWRT forums i got yelled at saying its a server issue with pfSense

@viragomann
so this means that the routing is correct on the server side? just want to make sure before i start messing with Iptables on DDWRT

Thank you