Success: OpenVPN Site-to-Site using dd-wrt (client) > pfsense-2.x (server)

  • So first, this assumes your pfsense2.x has more less the following settings:

    1) Pfsense config

    In Firewall Rules > WAN
    Allow UDP from ANY to 1194

    In VPN > OpenVPN > Server
    Server Mode: Peer to Peer (Shared Key)
    Protocol: UDP
    Device Mode: tun
    Interface: <your wan="" interface="">Local port: 1194
    Description: <whatever>Shared Key: <will be="" generated="" automagically,="" you="" will="" need="" it="" for="" dd-wrt="" config="">Encryption algorithm: AES-128-CBC
    Hardware Crypto: No Hardware

    Tunel Network: <pick 24="" something="" outside="" of="" site1="" or="" site2,="" in="" my="" case:="""">Local Network: <in 24="" my="" case="" lan="" subnet:="""">Remote Network: <in 24="" my="" case="" the="" subnet="" on="" dd-wrt="" client="" side:="""">Concurrent connections: 1
    Compression: Checked

    Once created, go back to Firewall > Rules > OpenVPN
    Add a rule from any to any using any protocol (but please tighten this after ensuring the setup works..)

    2) dd-wrt config

    I found many tutorials, but eventually this one made my day (albeit a minor editing)

    Which leaves us with, as startup script:

    # Move to writable directory and create scripts
    cd /tmp
    ln -s /usr/sbin/openvpn /tmp/myvpn
    # Config for Site-to-Site SiteA-SiteB
    echo "
    # here you would specify your pfsense WAN IP
    remote x.x.x.x 1194
    proto udp
    port 1194
    dev tun0
    secret /tmp/static.key
    verb 3
    keepalive 15 60
    cipher AES-128-CBC #needed !!!!
    " > SiteA-SiteB.conf
    # Config for Static Key
    echo "
    # 2048 bit OpenVPN static key
    -----BEGIN OpenVPN Static key V1-----
     <you will="" find="" the="" content="" of="" key="" in="" pfsense,="" go="" back="" to="" vpn="">OpenVPN > Server, edit your newly created server, you will find the PSK there..
    -----END OpenVPN Static key V1-----
    " > static.key
    # Create interfaces
    /tmp/myvpn --mktun --dev tun0
    # notice here i am picking an arbitrary adress for tun0, in my case
    ifconfig tun0 netmask promisc up
    # Create routes
    # Notice the first being my pfsense LAN, the second being the openvpn gateway
    route add -net netmask gw
    # Initiate the tunnel
    sleep 5
    /tmp/myvpn --config SiteA-SiteB.conf</you>

    And as firewall script

    # Open firewall holes
    iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

    Once done, reboot, and try pinging a host on the pfsense-side from within the dd-wrt box.. should work..
    Really.. ;)</in></in></pick></will></whatever></your>

  • In this config you can't access from pfsense subnet to dd-wrt router to manage via web or ping, only telnet.
    But some code maybe added to dd-wrt router firewall script:

    iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p tcp –dport 80 -j ACCEPT

    and saved.

Log in to reply