PfSense OpenVPN Servers (Shared Key) to multiple dd-wrt clients



  • This is all in a test environment pre putting it into the field….

    pfSense is 2.2.5
    All OpenVPN's are configured with peer to peer share key
    Firewall rules on the WAN are allowing the multiple ports of each openvpn server
    pfSense firewall OpenVPN tab has a default allow all rule
    All OpenVPN's "Initialization Sequence Completed"

    dd-wrt v24
    script based setup based on this topic --> https://forum.pfsense.org/index.php?topic=56458.0

    dd-wrt firewall script:

    Open firewall holes

    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT

    iptables -I INPUT 2 -p udp –dport 5511 -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p icmp -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p tcp --dport 22 -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p tcp --dport 23 -j ACCEPT
    iptables -I INPUT 1 -i tun0 -p udp --dport 161 -j ACCEPT

    pfSense LAN IP 10.100.51.0/24
    remote network 10.11.53.0/24
    openvpn network 10.254.254.4/30

    This is my pfsense routing table:
    IPv4
    Destination Gateway Flags Use Mtu Netif Expire
    default 192.168.51.1 UGS 9636 1500 sk0
    10.11.53.0/24 10.254.254.6 UGS 3138 1500 ovpns2
    10.12.53.0/24 10.254.254.10 UGS 0 1500 ovpns3
    10.13.53.0/24 10.254.254.14 UGS 0 1500 ovpns4
    10.14.53.0/24 10.254.254.18 UGS 0 1500 ovpns5
    10.15.53.0/24 10.254.254.22 UGS 0 1500 ovpns6
    10.100.50.0/24 link#8 U 80688 1500 sk3
    10.100.50.1 link#8 UHS 178 16384 lo0
    10.100.51.0/24 link#1 U 0 1500 msk0
    10.100.51.1 link#1 UHS 0 16384 lo0
    10.100.52.0/24 link#2 U 0 1500 msk1
    10.100.52.1 link#2 UHS 0 16384 lo0
    10.100.53.0/24 link#3 U 0 1500 msk2
    10.100.53.1 link#3 UHS 0 16384 lo0
    10.100.54.0/24 link#4 U 0 1500 msk3
    10.100.54.1 link#4 UHS 0 16384 lo0
    10.254.254.1 link#13 UHS 0 16384 lo0
    10.254.254.2 link#13 UH 0 1500 ovpns1
    10.254.254.5 link#14 UHS 0 16384 lo0
    10.254.254.6 link#14 UH 0 1500 ovpns2
    10.254.254.9 link#15 UHS 0 16384 lo0
    10.254.254.10 link#15 UH 0 1500 ovpns3
    10.254.254.13 link#16 UHS 0 16384 lo0
    10.254.254.14 link#16 UH 0 1500 ovpns4
    10.254.254.17 link#17 UHS 0 16384 lo0
    10.254.254.18 link#17 UH 0 1500 ovpns5
    10.254.254.21 link#18 UHS 0 16384 lo0
    10.254.254.22 link#18 UH 0 1500 ovpns6
    127.0.0.1 link#11 UH 602592 16384 lo0
    192.168.51.0/24 link#5 U 13153 1500 sk0
    192.168.51.106 link#5 UHS 0 16384 lo0

    This is my dd-wrt remote site routing table:
    Destination LAN NET Subnet Mask Gateway Flags Metric Interface
    0.0.0.0 0.0.0.0 192.168.51.1 UG 0 WAN
    10.10.53.0 255.255.255.0 10.254.254.5 UG 0 tun0
    10.11.53.0 255.255.255.0 0.0.0.0 U 0 LAN & WLAN
    10.12.53.0 255.255.255.0 10.254.254.5 UG 0 tun0
    10.13.53.0 255.255.255.0 10.254.254.5 UG 0 tun0
    10.14.53.0 255.255.255.0 10.254.254.5 UG 0 tun0
    10.15.53.0 255.255.255.0 10.254.254.5 UG 0 tun0
    10.100.51.0 255.255.255.0 10.254.254.5 UG 0 tun0
    10.254.254.4 255.255.255.252 0.0.0.0 U 0 tun0
    169.254.0.0 255.255.0.0 0.0.0.0 U 0 LAN & WLAN
    192.168.51.0 255.255.255.0 0.0.0.0 U 0 WAN

    Now this is where I believe there is a problem…
    -From a device on the remote site I can ping my pfsense lan ip. good
    -From a device on my pfsense lan say 10.100.51.10 I can not ping remote ip 10.11.53.1
    -If I SSH into the pfsense box I can ping remote ip 10.11.53.1

    I am at a loss with the firewalls on either end set to allow traffic flow, as well as routing tables on both end correct why only the pfsense machine can route traffic to the remote site, and not all equipment on the pfsense lan. Is anyone able to shed some light on this? I am loosing hair at an absurd rate on this one.

    -I've only quoted as per 1 client site.
    -All clients are behaving in the same manor as described.
    -This is setup as a hub and spoke type topology

    Thanks in advance.



  • Forgot to mention the firewall on the pfsense box, lan, also has a default allow all rule.

    I am thinking this is a routing issue on the pfSense box because I can ping and access remote network services when I am SSH'd into the pfsense box. It's just a matter of clients attached to the pfSense lan are unable to get packets forwarded to the remote site.

    Anyone have any thoughts?



  • Likely the routing is wrong/missing on the DDWRT side. The routes are correct there, when you ping from the firewall itself it uses the tun IP, and DDWRT tends to be screwy with its routes. Given all that, almost certainly missing/wrong routes on DDWRT. Otherwise it's blocking the traffic from the LAN subnet on DDWRT.



  • @cmb:

    Likely the routing is wrong/missing on the DDWRT side. The routes are correct there, when you ping from the firewall itself it uses the tun IP, and DDWRT tends to be screwy with its routes. Given all that, almost certainly missing/wrong routes on DDWRT. Otherwise it's blocking the traffic from the LAN subnet on DDWRT.

    When you say "the routes are correct there", are you referring to the routes located on pfsense, or the dd-wrt routers?

    I supplied the routing table for both pfsense, and a dd-wrt remote client. I am fairly new to routing tables. Is there anything obviously wrong?

    And If I am reading your reply correctly, I am getting the jist that dd-wrt is something to stay away from… is that correct?

    Thanks for your help!!!



  • DDWRT is ok, it can just be a pain in routing traffic correctly across site to site VPNs. It seems to always want to NAT things in that context.

    I didn't notice the DDWRT routing table. That looks correct as well. The iptables rule should allow pings through.

    Run a constant ping from the pfSense LAN to the DDWRT LAN. Go to Diag>Packet Capture, pick the OpenVPN interface, and start the capture. Let it run for a handful of seconds and stop it. If you see the pings leaving there, that'll confirm the issue's on the DDWRT side.

    The only thing that'd prevent traffic from LAN getting routed across in that config is if you have a gateway specified on your LAN firewall rule(s), that'll force traffic to that gateway.


Log in to reply