Site to Site with DD-WRT (SOLVED)



  • Hi, I was wondering if someone has successfully accomplished site to site as pfSense is running the OpenVPN server and the client DDWRT (R7000 Kongac). I was looking around many guides as most of them show as DDWRT running the server, this is what i got so far see pictures

    The idea is i need Site A (pfSense Server) to ping Site B (DDWRT client) because on site B i have NAS which needs to be able to ping one of the servers which is in Site A

    Thank you



  • Allright so i changed things a bit just The part im getting confused is the ca cert, public client cert and the private client key.

    So i created on pfSense a CA called DDWRT and that CA i would put inside of the CA cert of DDWRT?

    then in I created on pfSense a certificate server called DDWRT server. Then i would export from that the cert and the key paste in the public cert and private key?










  • UPDATE:
    So I fixed finally  the issue with the cert and now shows connected on both sides only issue that i cannot ping each other ex: pfSense is 192.168.3.254 should be able to ping DDWRT 192.168.1.251 or if any clients on the LAN of pfSense should be able to ping also 192.168.1.251

    and the cert i configured like this:

    the CA on pfSense which was DDWRT was placed on CA

    Then created a client cert on pfSense and used the key and CA to place on DDWRT the Public Client Cert and the Private Client Key, after that on pfSense i needed to create a user and give that user the client cert also disabled TLS key






  • UPDATE 2:

    So i feel like im almost there, as the issue of the ping was that  i needed to check the Redirect Gateway on pfSense OpenVPN now DDWRT can ping pfSense but pfSense cannot ping DDWRT






  • I guess the real question is " does anyone know how can i route the OpenVPN server to also ping DDWRT" i tried using routing tables but have had no luck :(



  • You've set up a remote access server on pfSense, not a site-to-site.
    ??



  • im pretty sure its a site to site as everything shows connected i just cant understand why pfSense cannot contact DDWRT if there both connected



  • Yeah, your upper screenshot of pfSense VPN server shows a remote access server, the lower one shows a site-to-site.

    Is the DDWRT the default gateway in its LAN?



  • Thanks for the reply, yeah the upper one was a messed up, the second one is correct, when you say is the DDWRT the default gateway do you mean create a rule
    or the default gateway of which the it gets from the OpenVPN? which it gets a 192.168.90.6
    or the the gateway of the DDWRT which is 192.168.1.251

    Thank you



  • I asked if the DDWRT is the default gateway in the network behind (192.168.1.0/24).



  • yes the DDWRT is the default gateway for the network 192.168.1.0/24



  • It seems that pfSense doesn't find the correct route to the network behind DDWRT.

    Are you running multiple VPN instances on pfSense, both server and client?

    Please post the IPv4 routing table from pfSense.



  • Thank you for the reply,
    as I am also running other OpenVPN servers but there are only remote for clients

    See picture for the routing

    Thank you










  • As mentioned, it doesn't matter which kind of OpenVPN instances, if you run multiple and you haven't assigned separate interfaces to them all are handled as an unique interface group.

    So for correct routing you have to assign an interface to the site-to-site server. Interface > assign
    At available network ports select the site-to-site server and click Add, open the new interface and enable it, also enter a proper description and save it.



  • Thanks for the reply so something like this? Assuming on DDWRT when it shows connected to remote address it must be the gateway? Would i also delete the Rule on openVPN for

    IPv4 * 192.168.90.0/24 * * * * none

    Thank you see pictures










  • Yes, but don't set an IP address on the interface, just enable it. IP has to be set to "None"!



  • Thanks for the reply So configured to none but still nothing :(

    Thank you




  • Have you tried to reboot pfSense?

    If it still doesn't work after reboot make a packet capture on the SitetoSite interface and select ICMP protocol while you try a ping to the DDWRT. Maybe there is something wrong with the NAT.
    Post the capture output, please.



  • Thanks for the reply

    here is the packet capture

    from the packet capture only showed these lines

    20:12:56.238295 IP 192.168.90.1 > 192.168.1.251: ICMP echo request, id 4676, seq 0, length 64
    20:12:57.253548 IP 192.168.90.1 > 192.168.1.251: ICMP echo request, id 4676, seq 1, length 64
    20:12:58.256451 IP 192.168.90.1 > 192.168.1.251: ICMP echo request, id 4676, seq 2, length 64
    
    

    packet capture

    http://www.filedropper.com/openvpn

    Thank you again



  • So you get no responses from DDWRT, though the pings come from the VPN server which is connected directly to the DDWRTs interface.
    I think DDWRT blocks the access. Check its firewall rules.


  • LAYER 8 Netgate

    This is not a DDWRT forum.



  • Thanks for the reply,

    @derelict, your correct but as i posted on the DDWRT forums i got yelled at saying its a server issue with pfSense

    @viragomann
    so this means that the routing is correct on the server side? just want to make sure before i start messing with Iptables on DDWRT

    Thank you



  • The routes look well, 192.168.1.0/24 points to the vpn client. So this subnet is routed over the vpn as the packet capture on vpn server interface shows. You should see the exactly same packets on the clients vpn interface.



  • Thanks for the reply, as i was investigating on DDWRT as they told me it this also i even turn off the firewall of DDWRT so i think it might be something with the routes

    you have to add a static route for the OpenVPN client's local IP network to the OpenVPN server config, and use iroute to inform the OpenVPN server that that static route is associated w/ that OpenVPN client. You must address this issue before devices on the OpenVPN server side can initiate connections to devices on the OpenVPN client side.



  • I have a working set up which I believe is similar to yours. I am in the process of upgrading from dd-wrt to pfsense with site-to-site OpenVPN.

    On the server end I have pfsense running OpenVPN server on subnet 10.0.1.1/24. On the client I have dd-wrt running OpenVPN client on 192.168.122.1/24.

    In order to route useful traffic over my VPN it was necessary to add the following directive to pfsense => OpenVPN => Server => Advanced Configuration => Custom options

    push "route 10.0.1.0 255.255.255.0"

    Also, in pfsense => OpenVPN => Client Specific Overrides => I created an entry with the Common Name (CN) of the client. In that entry Client Settings => Advanced has:

    iroute 192.168.122.0 255.255.255.0

    The first directive allows stations on the client lan to see assets on the server's lan. The second directive allows stations on the server lan to see assets on the client lan.

    Hope this helps.



  • Thank you for the reply as i think this might be it but not sure its not working so my OpenVPN server on pfSense is 192.168.90.0/24
    and on advance did

    Also my pfSense LAN is 192.168.3.0/24

    push "route 192.168.90.0 255.255.255.0";
    

    then on client overide added at the bottom this i also added the static IP just to see if it was working the client override which it was

    push "route 192.168.1.0 255.255.255.0";  
    ifconfig-push 192.168.90.8 192.168.90.5;
    

    Then rebooted pfSense but still pfSense cannot ping DDWRT BUT DDWRT can ping pfSense

    I also turned off on DDWRT the firewall just to make sure

    Thank you see pictures












  • In your setup I suggest:

    push "route 192.168.3.0 255.255.255.0"

    as the server option and

    iroute 192.168.1.0 255.255.255.0

    in the client specific override.



  • Thanks for the reply so i finally solved the issue while reading how OpenVPN works,

    OpenVPN uses this table

    [  1,  2] [  5,  6] [  9, 10] [ 13, 14] [ 17, 18]
    [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
    [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
    [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
    [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
    [101,102] [105,106] [109,110] [113,114] [117,118]
    

    Meaning if my config on OpenVPN server is ifconfig 192.168.90.1 192.168.90.2

    so then i needed to give my client overide this, the client gets 192.168.90.5 and the gateway is 192.168.90.6

    ifconfig-push 192.168.90.5 192.168.90.6
    iroute 192.168.1.0 255.255.255.0
    

    Felt so silly after one week

    Now pfSense can ping DDWRT so at the end it was not  DDWRT issue

    Hope this helps someone else



  • Mine is working now too.. thanks a lot.  ;D
    @killmasta93:

    Thanks for the reply so i finally solved the issue while reading how OpenVPN works,

    OpenVPN uses this table

    [  1,  2] [  5,  6] [  9, 10] [ 13, 14] [ 17, 18]
    [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
    [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
    [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
    [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
    [101,102] [105,106] [109,110] [113,114] [117,118]
    

    Meaning if my config on OpenVPN server is ifconfig 192.168.90.1 192.168.90.2

    so then i needed to give my client overide this, the client gets 192.168.90.5 and the gateway is 192.168.90.6

    ifconfig-push 192.168.90.5 192.168.90.6
    iroute 192.168.1.0 255.255.255.0
    

    Felt so silly after one week

    Now pfSense can ping DDWRT so at the end it was not  DDWRT issue

    Hope this helps someone else


Log in to reply