Openvpn tunnel between openwrt and pfsense



  • Hi,

    i have established a tunnel between TP-LINK WR1043ND and a PFsense (2.0.3) VM and it works fine

    192.168.4.0/24 <–-> WR1043 <-- 192.168.29.4/30 --> PFsense <-- 10.1.3.0/24 -->
                                        |                                            |
                                      WAN                                      WAN

    all packets from 192.168.4.0/24 to 10.1.3.0/24 go through the tunnel
    all packets from 192.68.4.0/24 to internet go to internet via wan interface of WR1043
    PFsense is connected to internet
    all packets from 10.1.3.0/24 to internet go through pfsense wan interface (natted)

    openvpn config on WR1043 :

    more /etc/openvpn/client.cfg

    dev tun0
    dev-type tun
    writepid /var/run/openvpn_client1.pid
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    nobind
    remote xxx.xxx.xxx.xxx 1195
    ifconfig 192.168.29.6 192.168.29.5
    route 10.1.3.0 255.255.255.0
    secret /etc/openvpn/client.key
    verb 4
    status /var/log/openvpn-client.log

    more /etc/firewall.user

    Allow OpenVPN forwarding

    iptables -A forwarding_rule -i tun+ -o br-lan -j ACCEPT
    iptables -A forwarding_rule -i br-lan -o tun+ -j ACCEPT

    iptables -A input_rule -i tun+ -j ACCEPT
    iptables -A output_rule -o tun+ -j ACCEPT

    netstat -rn

    Kernel IP routing table
    Destination    Gateway        Genmask        Flags  MSS Window  irtt Iface
    0.0.0.0        yy.yy.yy.yy    0.0.0.0        UG        0 0          0 eth0.2
    yy.yy.yy.yy    0.0.0.0        255.255.255.0  U        0 0          0 eth0.2
    10.1.3.0        192.168.29.5    255.255.255.0  UG        0 0          0 tun0
    192.168.4.0    0.0.0.0        255.255.255.0  U        0 0          0 br-lan
    192.168.29.5    0.0.0.0        255.255.255.255 UH        0 0          0 tun0

    OPENVPN Server Side (PFsense 2.0.3)

    peer to peer (shared key)
    protocol UDP
    device mode TUN
    interface WAN
    port 1195
    tunnel network : 192.168.29.4/30
    local network : 10.1.3.0/24
    remote network : 192.168.4.0/24

    NAT outbound : mode automatic outbound

    now my need is to route all traffic through VPN tunnel :

    I'd like to force all packets from 192.168.4.0 to go through the tunnel and reach internet via PFsense
    In a first time, i chose to limit the destination subnets. For example to reach aaa.aaa.aaa.aaa i added in client.cfg :
    route aaa.aaa.aaa.aaa 255.255.255.0

    i can ping aaa.aaa.aaa.aaa from WR1043 (logged SSH)
    but i can't ping from inside lan subnet 192.168.4.0

    i don't konw where is the issue : pfsense nat ? openvpn config ? iptables config on openwrt ?

    could someone help me to resolve my problem ?

    Thanks a lot

    Claude



  • edit /etc/openvpn/client.cfg (should it be /etc/config/openvpn ?)

    anyway..

    add line 'redirect-gateway def1'

    it cant be added via luci -> use cli
    restart openvpn service.. or reboot

    br.
    .k

    @cgu29:

    Hi,

    i have established a tunnel between TP-LINK WR1043ND and a PFsense (2.0.3) VM and it works fine

    192.168.4.0/24 <–-> WR1043 <-- 192.168.29.4/30 --> PFsense <-- 10.1.3.0/24 -->
                                        |                                            |
                                      WAN                                       WAN

    all packets from 192.168.4.0/24 to 10.1.3.0/24 go through the tunnel
    all packets from 192.68.4.0/24 to internet go to internet via wan interface of WR1043
    PFsense is connected to internet
    all packets from 10.1.3.0/24 to internet go through pfsense wan interface (natted)

    openvpn config on WR1043 :

    more /etc/openvpn/client.cfg

    dev tun0
    dev-type tun
    writepid /var/run/openvpn_client1.pid
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    nobind
    remote xxx.xxx.xxx.xxx 1195
    ifconfig 192.168.29.6 192.168.29.5
    route 10.1.3.0 255.255.255.0
    secret /etc/openvpn/client.key
    verb 4
    status /var/log/openvpn-client.log

    more /etc/firewall.user

    Allow OpenVPN forwarding

    iptables -A forwarding_rule -i tun+ -o br-lan -j ACCEPT
    iptables -A forwarding_rule -i br-lan -o tun+ -j ACCEPT

    iptables -A input_rule -i tun+ -j ACCEPT
    iptables -A output_rule -o tun+ -j ACCEPT

    netstat -rn

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    0.0.0.0         yy.yy.yy.yy     0.0.0.0         UG        0 0          0 eth0.2
    yy.yy.yy.yy     0.0.0.0         255.255.255.0   U         0 0          0 eth0.2
    10.1.3.0        192.168.29.5    255.255.255.0   UG        0 0          0 tun0
    192.168.4.0     0.0.0.0         255.255.255.0   U         0 0          0 br-lan
    192.168.29.5    0.0.0.0         255.255.255.255 UH        0 0          0 tun0

    OPENVPN Server Side (PFsense 2.0.3)

    peer to peer (shared key)
    protocol UDP
    device mode TUN
    interface WAN
    port 1195
    tunnel network : 192.168.29.4/30
    local network : 10.1.3.0/24
    remote network : 192.168.4.0/24

    NAT outbound : mode automatic outbound

    now my need is to route all traffic through VPN tunnel :

    I'd like to force all packets from 192.168.4.0 to go through the tunnel and reach internet via PFsense
    In a first time, i chose to limit the destination subnets. For example to reach aaa.aaa.aaa.aaa i added in client.cfg :
    route aaa.aaa.aaa.aaa 255.255.255.0

    i can ping aaa.aaa.aaa.aaa from WR1043 (logged SSH)
    but i can't ping from inside lan subnet 192.168.4.0

    i don't konw where is the issue : pfsense nat ? openvpn config ? iptables config on openwrt ?

    could someone help me to resolve my problem ?

    Thanks a lot

    Claude



  • Thanks for your help,

    it modified client side /etc/openvpn/client.cfg and reboot
    now from my openwrt router i can ping and all is reacheable
    but from my laptop it doesn't work. Routes are OK but i can't ping tunnel network address 192.168.29.5 (server side)

    routes on tp-link :
    Before

    netstat -rn

    Kernel IP routing table
    Destination    Gateway        Genmask        Flags  MSS Window  irtt Iface
    0.0.0.0        10.0.44.252    0.0.0.0        UG        0 0          0 eth0.2
    10.0.44.0      0.0.0.0        255.255.255.0  U        0 0          0 eth0.2
    10.1.3.0        192.168.29.5    255.255.255.0  UG        0 0          0 tun0
    192.168.4.0    0.0.0.0        255.255.255.0  U        0 0          0 br-lan
    192.168.29.5    0.0.0.0        255.255.255.255 UH        0 0          0 tun0

    After

    netstat -rn

    Kernel IP routing table
    Destination    Gateway        Genmask        Flags  MSS Window  irtt Iface
    0.0.0.0        192.168.29.5    128.0.0.0      UG        0 0          0 tun0
    0.0.0.0        10.0.44.252    0.0.0.0        UG        0 0          0 eth0.2
    10.0.44.0      0.0.0.0        255.255.255.0  U        0 0          0 eth0.2
    XX.XX.XX.XX    10.0.44.252    255.255.255.255 UGH      0 0          0 eth0.2
    128.0.0.0      192.168.29.5    128.0.0.0      UG        0 0          0 tun0
    192.168.4.0    0.0.0.0        255.255.255.0  U        0 0          0 br-lan
    192.168.29.5    0.0.0.0        255.255.255.255 UH        0 0          0 tun0



  • it's solved

    the problem came from the nat rules on the pfsense server

    i had to enable manual nat and add a mapping between the remote LAN and the natted IP (PFsense wan interface)

    hope it helps

    now time to quit and go to the pub (in France)



  • Hi, good to hear you get it working… i was struggling on same thing couple month ago....

    • I think your problem was in routes (if openwrt didnt route your request back from pfsense when pinging behind openwrt to pfsense)

    • did you set remote lan 192.168.4/24 (openvpn settings "route 192.168.4/24") (what pfsense routing table shows ? does it know 192.168.4/24 network ?

    • did you use peer-to-peer or remote access ?

    • Set pfsense "Manual outbound nat" -> wan interface NAT all outbound traffic its public interface ip. (thats the way i allways do it, 1 NAT in network everything else is fully routed between routers..)

    • Make sure DNS request goes also to tunnel (dns queries coming from openwrt / openwrt connected networks(lan)..

    • If you use own dns resolver(at endpoint pfsense) you need to set openwrt to allow dns queries coming from private network(from pfsense).

    br.
    .k

    @cgu29:

    it's solved

    the problem came from the nat rules on the pfsense server

    i had to enable manual nat and add a mapping between the remote LAN and the natted IP (PFsense wan interface)

    hope it helps

    now time to quit and go to the pub (in France)


Log in to reply