Openvpn tunnel between openwrt and pfsense

cgu29

Hi,

i have established a tunnel between TP-LINK WR1043ND and a PFsense (2.0.3) VM and it works fine

192.168.4.0/24 <–-> WR1043 <-- 192.168.29.4/30 --> PFsense <-- 10.1.3.0/24 -->
| |
WAN WAN

all packets from 192.168.4.0/24 to 10.1.3.0/24 go through the tunnel
all packets from 192.68.4.0/24 to internet go to internet via wan interface of WR1043
PFsense is connected to internet
all packets from 10.1.3.0/24 to internet go through pfsense wan interface (natted)

openvpn config on WR1043 :

more /etc/openvpn/client.cfg

dev tun0
dev-type tun
writepid /var/run/openvpn_client1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
nobind
remote xxx.xxx.xxx.xxx 1195
ifconfig 192.168.29.6 192.168.29.5
route 10.1.3.0 255.255.255.0
secret /etc/openvpn/client.key
verb 4
status /var/log/openvpn-client.log

more /etc/firewall.user

Allow OpenVPN forwarding

iptables -A forwarding_rule -i tun+ -o br-lan -j ACCEPT
iptables -A forwarding_rule -i br-lan -o tun+ -j ACCEPT

iptables -A input_rule -i tun+ -j ACCEPT
iptables -A output_rule -o tun+ -j ACCEPT

netstat -rn

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 yy.yy.yy.yy 0.0.0.0 UG 0 0 0 eth0.2
yy.yy.yy.yy 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
10.1.3.0 192.168.29.5 255.255.255.0 UG 0 0 0 tun0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.29.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0

OPENVPN Server Side (PFsense 2.0.3)

peer to peer (shared key)
protocol UDP
device mode TUN
interface WAN
port 1195
tunnel network : 192.168.29.4/30
local network : 10.1.3.0/24
remote network : 192.168.4.0/24

NAT outbound : mode automatic outbound

now my need is to route all traffic through VPN tunnel :

I'd like to force all packets from 192.168.4.0 to go through the tunnel and reach internet via PFsense
In a first time, i chose to limit the destination subnets. For example to reach aaa.aaa.aaa.aaa i added in client.cfg :
route aaa.aaa.aaa.aaa 255.255.255.0

i can ping aaa.aaa.aaa.aaa from WR1043 (logged SSH)
but i can't ping from inside lan subnet 192.168.4.0

i don't konw where is the issue : pfsense nat ? openvpn config ? iptables config on openwrt ?

could someone help me to resolve my problem ?

Thanks a lot

Claude

keysers0ze

edit /etc/openvpn/client.cfg (should it be /etc/config/openvpn ?)

anyway..

add line 'redirect-gateway def1'

it cant be added via luci -> use cli
restart openvpn service.. or reboot

br.
.k

@cgu29:

Hi,

i have established a tunnel between TP-LINK WR1043ND and a PFsense (2.0.3) VM and it works fine

192.168.4.0/24 <–-> WR1043 <-- 192.168.29.4/30 --> PFsense <-- 10.1.3.0/24 -->
| |
WAN WAN

all packets from 192.168.4.0/24 to 10.1.3.0/24 go through the tunnel
all packets from 192.68.4.0/24 to internet go to internet via wan interface of WR1043
PFsense is connected to internet
all packets from 10.1.3.0/24 to internet go through pfsense wan interface (natted)

openvpn config on WR1043 :

more /etc/openvpn/client.cfg

dev tun0
dev-type tun
writepid /var/run/openvpn_client1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
nobind
remote xxx.xxx.xxx.xxx 1195
ifconfig 192.168.29.6 192.168.29.5
route 10.1.3.0 255.255.255.0
secret /etc/openvpn/client.key
verb 4
status /var/log/openvpn-client.log

more /etc/firewall.user

Allow OpenVPN forwarding

iptables -A forwarding_rule -i tun+ -o br-lan -j ACCEPT
iptables -A forwarding_rule -i br-lan -o tun+ -j ACCEPT

iptables -A input_rule -i tun+ -j ACCEPT
iptables -A output_rule -o tun+ -j ACCEPT

netstat -rn

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 yy.yy.yy.yy 0.0.0.0 UG 0 0 0 eth0.2
yy.yy.yy.yy 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
10.1.3.0 192.168.29.5 255.255.255.0 UG 0 0 0 tun0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.29.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0

OPENVPN Server Side (PFsense 2.0.3)

peer to peer (shared key)
protocol UDP
device mode TUN
interface WAN
port 1195
tunnel network : 192.168.29.4/30
local network : 10.1.3.0/24
remote network : 192.168.4.0/24

NAT outbound : mode automatic outbound

now my need is to route all traffic through VPN tunnel :

I'd like to force all packets from 192.168.4.0 to go through the tunnel and reach internet via PFsense
In a first time, i chose to limit the destination subnets. For example to reach aaa.aaa.aaa.aaa i added in client.cfg :
route aaa.aaa.aaa.aaa 255.255.255.0

i can ping aaa.aaa.aaa.aaa from WR1043 (logged SSH)
but i can't ping from inside lan subnet 192.168.4.0

i don't konw where is the issue : pfsense nat ? openvpn config ? iptables config on openwrt ?

could someone help me to resolve my problem ?

Thanks a lot

Claude

cgu29

Thanks for your help,

it modified client side /etc/openvpn/client.cfg and reboot
now from my openwrt router i can ping and all is reacheable
but from my laptop it doesn't work. Routes are OK but i can't ping tunnel network address 192.168.29.5 (server side)

routes on tp-link :
Before

netstat -rn

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.0.44.252 0.0.0.0 UG 0 0 0 eth0.2
10.0.44.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
10.1.3.0 192.168.29.5 255.255.255.0 UG 0 0 0 tun0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.29.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0

After

netstat -rn

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.29.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 10.0.44.252 0.0.0.0 UG 0 0 0 eth0.2
10.0.44.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
XX.XX.XX.XX 10.0.44.252 255.255.255.255 UGH 0 0 0 eth0.2
128.0.0.0 192.168.29.5 128.0.0.0 UG 0 0 0 tun0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.29.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0

cgu29

it's solved

the problem came from the nat rules on the pfsense server

i had to enable manual nat and add a mapping between the remote LAN and the natted IP (PFsense wan interface)

hope it helps

now time to quit and go to the pub (in France)

keysers0ze

Hi, good to hear you get it working… i was struggling on same thing couple month ago....

I think your problem was in routes (if openwrt didnt route your request back from pfsense when pinging behind openwrt to pfsense)
did you set remote lan 192.168.4/24 (openvpn settings "route 192.168.4/24") (what pfsense routing table shows ? does it know 192.168.4/24 network ?
did you use peer-to-peer or remote access ?
Set pfsense "Manual outbound nat" -> wan interface NAT all outbound traffic its public interface ip. (thats the way i allways do it, 1 NAT in network everything else is fully routed between routers..)
Make sure DNS request goes also to tunnel (dns queries coming from openwrt / openwrt connected networks(lan)..
If you use own dns resolver(at endpoint pfsense) you need to set openwrt to allow dns queries coming from private network(from pfsense).

br.
.k

@cgu29:

it's solved

the problem came from the nat rules on the pfsense server

i had to enable manual nat and add a mapping between the remote LAN and the natted IP (PFsense wan interface)

hope it helps

now time to quit and go to the pub (in France)