Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense OpenVPN Servers (Shared Key) to multiple dd-wrt clients

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      toyotahead
      last edited by

      This is all in a test environment pre putting it into the field….

      pfSense is 2.2.5
      All OpenVPN's are configured with peer to peer share key
      Firewall rules on the WAN are allowing the multiple ports of each openvpn server
      pfSense firewall OpenVPN tab has a default allow all rule
      All OpenVPN's "Initialization Sequence Completed"

      dd-wrt v24
      script based setup based on this topic --> https://forum.pfsense.org/index.php?topic=56458.0

      dd-wrt firewall script:

      Open firewall holes

      iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
      iptables -I FORWARD -i br0 -o tun0 -j ACCEPT

      iptables -I INPUT 2 -p udp –dport 5511 -j ACCEPT
      iptables -I INPUT 1 -i tun0 -p icmp -j ACCEPT
      iptables -I INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT
      iptables -I INPUT 1 -i tun0 -p tcp --dport 22 -j ACCEPT
      iptables -I INPUT 1 -i tun0 -p tcp --dport 23 -j ACCEPT
      iptables -I INPUT 1 -i tun0 -p udp --dport 161 -j ACCEPT

      pfSense LAN IP 10.100.51.0/24
      remote network 10.11.53.0/24
      openvpn network 10.254.254.4/30

      This is my pfsense routing table:
      IPv4
      Destination Gateway Flags Use Mtu Netif Expire
      default 192.168.51.1 UGS 9636 1500 sk0
      10.11.53.0/24 10.254.254.6 UGS 3138 1500 ovpns2
      10.12.53.0/24 10.254.254.10 UGS 0 1500 ovpns3
      10.13.53.0/24 10.254.254.14 UGS 0 1500 ovpns4
      10.14.53.0/24 10.254.254.18 UGS 0 1500 ovpns5
      10.15.53.0/24 10.254.254.22 UGS 0 1500 ovpns6
      10.100.50.0/24 link#8 U 80688 1500 sk3
      10.100.50.1 link#8 UHS 178 16384 lo0
      10.100.51.0/24 link#1 U 0 1500 msk0
      10.100.51.1 link#1 UHS 0 16384 lo0
      10.100.52.0/24 link#2 U 0 1500 msk1
      10.100.52.1 link#2 UHS 0 16384 lo0
      10.100.53.0/24 link#3 U 0 1500 msk2
      10.100.53.1 link#3 UHS 0 16384 lo0
      10.100.54.0/24 link#4 U 0 1500 msk3
      10.100.54.1 link#4 UHS 0 16384 lo0
      10.254.254.1 link#13 UHS 0 16384 lo0
      10.254.254.2 link#13 UH 0 1500 ovpns1
      10.254.254.5 link#14 UHS 0 16384 lo0
      10.254.254.6 link#14 UH 0 1500 ovpns2
      10.254.254.9 link#15 UHS 0 16384 lo0
      10.254.254.10 link#15 UH 0 1500 ovpns3
      10.254.254.13 link#16 UHS 0 16384 lo0
      10.254.254.14 link#16 UH 0 1500 ovpns4
      10.254.254.17 link#17 UHS 0 16384 lo0
      10.254.254.18 link#17 UH 0 1500 ovpns5
      10.254.254.21 link#18 UHS 0 16384 lo0
      10.254.254.22 link#18 UH 0 1500 ovpns6
      127.0.0.1 link#11 UH 602592 16384 lo0
      192.168.51.0/24 link#5 U 13153 1500 sk0
      192.168.51.106 link#5 UHS 0 16384 lo0

      This is my dd-wrt remote site routing table:
      Destination LAN NET Subnet Mask Gateway Flags Metric Interface
      0.0.0.0 0.0.0.0 192.168.51.1 UG 0 WAN
      10.10.53.0 255.255.255.0 10.254.254.5 UG 0 tun0
      10.11.53.0 255.255.255.0 0.0.0.0 U 0 LAN & WLAN
      10.12.53.0 255.255.255.0 10.254.254.5 UG 0 tun0
      10.13.53.0 255.255.255.0 10.254.254.5 UG 0 tun0
      10.14.53.0 255.255.255.0 10.254.254.5 UG 0 tun0
      10.15.53.0 255.255.255.0 10.254.254.5 UG 0 tun0
      10.100.51.0 255.255.255.0 10.254.254.5 UG 0 tun0
      10.254.254.4 255.255.255.252 0.0.0.0 U 0 tun0
      169.254.0.0 255.255.0.0 0.0.0.0 U 0 LAN & WLAN
      192.168.51.0 255.255.255.0 0.0.0.0 U 0 WAN

      Now this is where I believe there is a problem…
      -From a device on the remote site I can ping my pfsense lan ip. good
      -From a device on my pfsense lan say 10.100.51.10 I can not ping remote ip 10.11.53.1
      -If I SSH into the pfsense box I can ping remote ip 10.11.53.1

      I am at a loss with the firewalls on either end set to allow traffic flow, as well as routing tables on both end correct why only the pfsense machine can route traffic to the remote site, and not all equipment on the pfsense lan. Is anyone able to shed some light on this? I am loosing hair at an absurd rate on this one.

      -I've only quoted as per 1 client site.
      -All clients are behaving in the same manor as described.
      -This is setup as a hub and spoke type topology

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • T
        toyotahead
        last edited by

        Forgot to mention the firewall on the pfsense box, lan, also has a default allow all rule.

        I am thinking this is a routing issue on the pfSense box because I can ping and access remote network services when I am SSH'd into the pfsense box. It's just a matter of clients attached to the pfSense lan are unable to get packets forwarded to the remote site.

        Anyone have any thoughts?

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Likely the routing is wrong/missing on the DDWRT side. The routes are correct there, when you ping from the firewall itself it uses the tun IP, and DDWRT tends to be screwy with its routes. Given all that, almost certainly missing/wrong routes on DDWRT. Otherwise it's blocking the traffic from the LAN subnet on DDWRT.

          1 Reply Last reply Reply Quote 0
          • T
            toyotahead
            last edited by

            @cmb:

            Likely the routing is wrong/missing on the DDWRT side. The routes are correct there, when you ping from the firewall itself it uses the tun IP, and DDWRT tends to be screwy with its routes. Given all that, almost certainly missing/wrong routes on DDWRT. Otherwise it's blocking the traffic from the LAN subnet on DDWRT.

            When you say "the routes are correct there", are you referring to the routes located on pfsense, or the dd-wrt routers?

            I supplied the routing table for both pfsense, and a dd-wrt remote client. I am fairly new to routing tables. Is there anything obviously wrong?

            And If I am reading your reply correctly, I am getting the jist that dd-wrt is something to stay away from… is that correct?

            Thanks for your help!!!

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              DDWRT is ok, it can just be a pain in routing traffic correctly across site to site VPNs. It seems to always want to NAT things in that context.

              I didn't notice the DDWRT routing table. That looks correct as well. The iptables rule should allow pings through.

              Run a constant ping from the pfSense LAN to the DDWRT LAN. Go to Diag>Packet Capture, pick the OpenVPN interface, and start the capture. Let it run for a handful of seconds and stop it. If you see the pings leaving there, that'll confirm the issue's on the DDWRT side.

              The only thing that'd prevent traffic from LAN getting routed across in that config is if you have a gateway specified on your LAN firewall rule(s), that'll force traffic to that gateway.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.