Success: OpenVPN Site-to-Site using dd-wrt (client) > pfsense-2.x (server)



  • So first, this assumes your pfsense2.x has more less the following settings:

    1) Pfsense config

    In Firewall Rules > WAN
    Allow UDP from ANY to 1194

    In VPN > OpenVPN > Server
    Server Mode: Peer to Peer (Shared Key)
    Protocol: UDP
    Device Mode: tun
    Interface: <your wan="" interface="">Local port: 1194
    Description: <whatever>Shared Key: <will be="" generated="" automagically,="" you="" will="" need="" it="" for="" dd-wrt="" config="">Encryption algorithm: AES-128-CBC
    Hardware Crypto: No Hardware

    Tunel Network: <pick 24="" something="" outside="" of="" site1="" or="" site2,="" in="" my="" case:="" 10.0.148.0="">Local Network: <in 24="" my="" case="" lan="" subnet:="" 10.0.144.0="">Remote Network: <in 24="" my="" case="" the="" subnet="" on="" dd-wrt="" client="" side:="" 10.10.1.0="">Concurrent connections: 1
    Compression: Checked

    Once created, go back to Firewall > Rules > OpenVPN
    Add a rule from any to any using any protocol (but please tighten this after ensuring the setup works..)

    2) dd-wrt config

    I found many tutorials, but eventually this one made my day (albeit a minor editing) http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_routed_VPN_between_two_routers#Client_Configuration

    Which leaves us with, as startup script:

    # Move to writable directory and create scripts
    cd /tmp
    ln -s /usr/sbin/openvpn /tmp/myvpn
    
    # Config for Site-to-Site SiteA-SiteB
    echo "
    # here you would specify your pfsense WAN IP
    remote x.x.x.x 1194
    proto udp
    port 1194
    dev tun0
    secret /tmp/static.key
    verb 3
    comp-lzo
    keepalive 15 60
    daemon
    cipher AES-128-CBC #needed !!!!
    " > SiteA-SiteB.conf
    
    # Config for Static Key
    echo "
    #
    # 2048 bit OpenVPN static key
    #
    -----BEGIN OpenVPN Static key V1-----
     <you will="" find="" the="" content="" of="" key="" in="" pfsense,="" go="" back="" to="" vpn="">OpenVPN > Server, edit your newly created server, you will find the PSK there..
    -----END OpenVPN Static key V1-----
    " > static.key
    
    # Create interfaces
    /tmp/myvpn --mktun --dev tun0
    # notice here i am picking an arbitrary adress for tun0, in my case 10.0.148.2
    ifconfig tun0 10.0.148.2 netmask 255.255.255.0 promisc up
    
    # Create routes
    # Notice the first 10.0.144.0 being my pfsense LAN, the second 10.0.148.1 being the openvpn gateway
    route add -net 10.0.144.0 netmask 255.255.255.0 gw 10.0.148.1
    
    # Initiate the tunnel
    sleep 5
    /tmp/myvpn --config SiteA-SiteB.conf</you>
    

    And as firewall script

    # Open firewall holes
    iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    

    Once done, reboot, and try pinging a host on the pfsense-side from within the dd-wrt box.. should work..
    Really.. ;)</in></in></pick></will></whatever></your>



  • In this config you can't access from pfsense subnet to dd-wrt router to manage via web or ping, only telnet.
    But some code maybe added to dd-wrt router firewall script:

    iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p tcp –dport 80 -j ACCEPT

    and saved.


Locked