Site to Site with DD-WRT (SOLVED)
-
Hi, I was wondering if someone has successfully accomplished site to site as pfSense is running the OpenVPN server and the client DDWRT (R7000 Kongac). I was looking around many guides as most of them show as DDWRT running the server, this is what i got so far see pictures
The idea is i need Site A (pfSense Server) to ping Site B (DDWRT client) because on site B i have NAS which needs to be able to ping one of the servers which is in Site A
Thank you
-
Allright so i changed things a bit just The part im getting confused is the ca cert, public client cert and the private client key.
So i created on pfSense a CA called DDWRT and that CA i would put inside of the CA cert of DDWRT?
then in I created on pfSense a certificate server called DDWRT server. Then i would export from that the cert and the key paste in the public cert and private key?
-
UPDATE:
So I fixed finally the issue with the cert and now shows connected on both sides only issue that i cannot ping each other ex: pfSense is 192.168.3.254 should be able to ping DDWRT 192.168.1.251 or if any clients on the LAN of pfSense should be able to ping also 192.168.1.251and the cert i configured like this:
the CA on pfSense which was DDWRT was placed on CA
Then created a client cert on pfSense and used the key and CA to place on DDWRT the Public Client Cert and the Private Client Key, after that on pfSense i needed to create a user and give that user the client cert also disabled TLS key
-
UPDATE 2:
So i feel like im almost there, as the issue of the ping was that i needed to check the Redirect Gateway on pfSense OpenVPN now DDWRT can ping pfSense but pfSense cannot ping DDWRT
-
I guess the real question is " does anyone know how can i route the OpenVPN server to also ping DDWRT" i tried using routing tables but have had no luck :(
-
You've set up a remote access server on pfSense, not a site-to-site.
?? -
im pretty sure its a site to site as everything shows connected i just cant understand why pfSense cannot contact DDWRT if there both connected
-
Yeah, your upper screenshot of pfSense VPN server shows a remote access server, the lower one shows a site-to-site.
Is the DDWRT the default gateway in its LAN?
-
Thanks for the reply, yeah the upper one was a messed up, the second one is correct, when you say is the DDWRT the default gateway do you mean create a rule
or the default gateway of which the it gets from the OpenVPN? which it gets a 192.168.90.6
or the the gateway of the DDWRT which is 192.168.1.251Thank you
-
I asked if the DDWRT is the default gateway in the network behind (192.168.1.0/24).
-
yes the DDWRT is the default gateway for the network 192.168.1.0/24
-
It seems that pfSense doesn't find the correct route to the network behind DDWRT.
Are you running multiple VPN instances on pfSense, both server and client?
Please post the IPv4 routing table from pfSense.
-
Thank you for the reply,
as I am also running other OpenVPN servers but there are only remote for clientsSee picture for the routing
Thank you
-
As mentioned, it doesn't matter which kind of OpenVPN instances, if you run multiple and you haven't assigned separate interfaces to them all are handled as an unique interface group.
So for correct routing you have to assign an interface to the site-to-site server. Interface > assign
At available network ports select the site-to-site server and click Add, open the new interface and enable it, also enter a proper description and save it. -
Thanks for the reply so something like this? Assuming on DDWRT when it shows connected to remote address it must be the gateway? Would i also delete the Rule on openVPN for
IPv4 * 192.168.90.0/24 * * * * none
Thank you see pictures
-
Yes, but don't set an IP address on the interface, just enable it. IP has to be set to "None"!
-
Thanks for the reply So configured to none but still nothing :(
Thank you
-
Have you tried to reboot pfSense?
If it still doesn't work after reboot make a packet capture on the SitetoSite interface and select ICMP protocol while you try a ping to the DDWRT. Maybe there is something wrong with the NAT.
Post the capture output, please. -
Thanks for the reply
here is the packet capture
from the packet capture only showed these lines
20:12:56.238295 IP 192.168.90.1 > 192.168.1.251: ICMP echo request, id 4676, seq 0, length 64 20:12:57.253548 IP 192.168.90.1 > 192.168.1.251: ICMP echo request, id 4676, seq 1, length 64 20:12:58.256451 IP 192.168.90.1 > 192.168.1.251: ICMP echo request, id 4676, seq 2, length 64packet capture
http://www.filedropper.com/openvpn
Thank you again
-
So you get no responses from DDWRT, though the pings come from the VPN server which is connected directly to the DDWRTs interface.
I think DDWRT blocks the access. Check its firewall rules.