Success: OpenVPN Site-to-Site using dd-wrt (client) > pfsense-2.x (server)
-
So first, this assumes your pfsense2.x has more less the following settings:
1) Pfsense config
In Firewall Rules > WAN
Allow UDP from ANY to 1194In VPN > OpenVPN > Server
Server Mode: Peer to Peer (Shared Key)
Protocol: UDP
Device Mode: tun
Interface: <your wan="" interface="">Local port: 1194
Description: <whatever>Shared Key: <will be="" generated="" automagically,="" you="" will="" need="" it="" for="" dd-wrt="" config="">Encryption algorithm: AES-128-CBC
Hardware Crypto: No HardwareTunel Network: <pick 24="" something="" outside="" of="" site1="" or="" site2,="" in="" my="" case:="" 10.0.148.0="">Local Network: <in 24="" my="" case="" lan="" subnet:="" 10.0.144.0="">Remote Network: <in 24="" my="" case="" the="" subnet="" on="" dd-wrt="" client="" side:="" 10.10.1.0="">Concurrent connections: 1
Compression: CheckedOnce created, go back to Firewall > Rules > OpenVPN
Add a rule from any to any using any protocol (but please tighten this after ensuring the setup works..)2) dd-wrt config
I found many tutorials, but eventually this one made my day (albeit a minor editing) http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_routed_VPN_between_two_routers#Client_Configuration
Which leaves us with, as startup script:
# Move to writable directory and create scripts cd /tmp ln -s /usr/sbin/openvpn /tmp/myvpn # Config for Site-to-Site SiteA-SiteB echo " # here you would specify your pfsense WAN IP remote x.x.x.x 1194 proto udp port 1194 dev tun0 secret /tmp/static.key verb 3 comp-lzo keepalive 15 60 daemon cipher AES-128-CBC #needed !!!! " > SiteA-SiteB.conf # Config for Static Key echo " # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- <you will="" find="" the="" content="" of="" key="" in="" pfsense,="" go="" back="" to="" vpn="">OpenVPN > Server, edit your newly created server, you will find the PSK there.. -----END OpenVPN Static key V1----- " > static.key # Create interfaces /tmp/myvpn --mktun --dev tun0 # notice here i am picking an arbitrary adress for tun0, in my case 10.0.148.2 ifconfig tun0 10.0.148.2 netmask 255.255.255.0 promisc up # Create routes # Notice the first 10.0.144.0 being my pfsense LAN, the second 10.0.148.1 being the openvpn gateway route add -net 10.0.144.0 netmask 255.255.255.0 gw 10.0.148.1 # Initiate the tunnel sleep 5 /tmp/myvpn --config SiteA-SiteB.conf</you>
And as firewall script
# Open firewall holes iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
Once done, reboot, and try pinging a host on the pfsense-side from within the dd-wrt box.. should work..
Really.. ;)</in></in></pick></will></whatever></your> -
In this config you can't access from pfsense subnet to dd-wrt router to manage via web or ping, only telnet.
But some code maybe added to dd-wrt router firewall script:iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp –dport 80 -j ACCEPTand saved.