Question about OpenVPN setup?



  • I have a small computer setup with pfsense that is my gateway router with two NICs, WAN/LAN.  I have OpenVPN service that I use for anonymity and use a DD-WRT router for that service and any computers that I used with that are directing getting DHCP from that DD-WRT router.  I want be able to remotely use my non-VPN IP address to access those computers that are my network that are connected to DD-WRT router. The problem i'm facing is that even though they are on the same subnet and I can access them locally through any computer that is connected to either router, my pfsense router doesn't see the computers that are connected on DD-WRT b/c the pfsense router is not giving them DHCP to those other computers that are connected DD-WRT router and won't foward those ports to them. Already tried rewarding ports from the IP that the DD-WRT is connected to pfsense router but everything gets tunnel unless I go through the VPN address which isn't what I want to do, its very remote IP.

    Do I need to add another dual NIC on my pfsense computer and then have one LAN NIC as non-OpenVPN and then the other LAN use as OpenVPN but most importantly I need to forward ports so I remotely reach all computers?  Just to try to recap what I want to do is some computers use VPN and some computers do not use VPN for WAN.  I want to be remotely be able to get into all computers from remote location using the non-VPN IP (so coming in from the WAN side/ISP IP and all computer locally see each other.

    Any help is great.  I just don't even know what to research to help me.



  • Here is one possibility - I do something along similar principles at one site.
    a) Give all your clients DHCP from pfSense, allocate static mappings for the clients so you know who is which IP.
    b) Make an alias for the IP addresses that you want to use the DD-WRT router OpenVPN path - let's call it DDWRTclients
    c) Add a gateway on LAN - address of DD-WRT router - let's call it DDWRTgateway
    d) Add a firewall rule on LAN - Source = DDWRTclients, Port = any, Destination = any, Port = any, Gateway = DDWRTgateway
    e) Turn on manual outbound NAT, add a mapping Source = DDWRTclients, Port = any, Destination = any, Port = any, NAT Address = LAN Address
    f) Turn off DHCP server on DD-WRT

    The DDWRTclients will send their packets to pfSense. pfSense will route them across to the DD-WRT router, and will NAT them on the way back across your LAN to the DD-WRT. As far as the DD-WRT knows, the packets have a source IP of the pfSense LAN address. When the replies come back, the DD-WRT will send the replies back to the pfSense, the pfSense will unNAT them and deliver them to the correct DDWRTclient. (The NAT bit ensures that pfSense sees the packets in both directions - and thus maintains its state table nicely for those flows)

    Now you can port forward ports from pfSense WAN to whatever DDWRTclient systems you like. When external connects are established from pfSense WAN into a DDWRTclient, pfSense should know about those as established flows. It won't try to NAT the responses back through DD-WRT router - it should send them across pfSense WAN, where the connection originated.


Log in to reply