Pfsense to dd-wrt openvpn tunnel
-
How do you NAT exempt traffic on the openvpn tunnel? I'm not sure if the issue I'm seeing is on pfsense side (doubt it) or dd-wrt side (more probable).
I build the openvpn tunnel and the tunnel comes up. If I add a rule allowing traffic from the openvpn ip I can ping from the dd-wrt to any ip on the pfsense inside network but it gets NAT'ed to the dd-wrt's openvpn subnet ip. I want it to work like an IPSEC tunnel does and pass the traffic non-nat'ed.
Anybody know how to set that up?
-
OpenVPN works that way by default on pfSense, we don't NAT on it (unless you jump through some hoops to make it happen)
Not sure what the config for that would be on DD-WRT but it's most likely on that side. You might have more luck asking that bit on a DD-WRT forum/list.
-
I use a P2P Shared Key tunnel… Not sure if this will help you but here is an example of my DD-WRT config.. And nothing is NAT from what I can tell. Straight routing.. pfsense site is 192.168.0.x, the other site is 192.168.50.x... 172.16.50.x is the tunnel.
Startup commands
# Config for Site-to-Site SiteA-SiteB echo " remote pfsense IP/Host proto udp port 1195 dev tun0 persist-tun persist-key resolv-retry infinite secret /tmp/static.key nobind mute-replay-warnings verb 3 comp-lzo keepalive 15 60 daemon " > SiteA-SiteB.conf # Config for Static Key echo " -----BEGIN OpenVPN Static key V1----- -----END OpenVPN Static key V1----- " > static.key # Create interfaces /tmp/myvpn --mktun --dev tun0 ifconfig tun0 172.16.50.2 netmask 255.255.255.0 promisc up # Create routes route add -net 192.168.0.0 netmask 255.255.255.0 gw 172.16.50.1 route add -net 192.168.1.0 netmask 255.255.255.0 gw 172.16.50.1 route add -net 192.168.60.0 netmask 255.255.255.0 gw 172.16.50.1 route add -net 192.168.100.0 netmask 255.255.255.0 gw 172.16.50.1 route add -net 192.168.200.0 netmask 255.255.255.0 gw 172.16.50.1 # Initiate the tunnel sleep 5 /tmp/myvpn --config SiteA-SiteB.conf
firewall commands, I need to tweaks these but they work… just can't ping the dd-wrt router but i can telnet/web into it
# private subnets (anything FROM these subnets) iptables -A ALL_ACCEPT -s 192.168.0.0/16 -j ACCEPT iptables -A ALL_ACCEPT -s 172.16.50.0/24 -j ACCEPT iptables -A ALL_ACCEPT -s 172.16.60.0/24 -j ACCEPT # Open firewall holes iptables -I INPUT 2 -p udp --dport 1195 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT