Site to Site with pfSense

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
killmasta93
DD-WRT User


Joined: 13 Feb 2015
Posts: 110

PostPosted: Sun Mar 19, 2017 0:07    Post subject: Site to Site with pfSense Reply with quote
i, I was wondering if someone has successfully accomplished site to site as pfSense is running the OpenVPN server and the client DDWRT (R7000 Kongac). I was looking around many guides as most of them show as DDWRT running the server, this is what i got so far see pictures

The idea is i need Site A (pfSense Server) to ping Site B (DDWRT client) because on site B i have NAS which needs to be able to ping one of the servers which is in Site A

Thank you

_________________
Tutorials:

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=280622&highlight=
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 5993

PostPosted: Sun Mar 19, 2017 4:06    Post subject: Reply with quote
pfSense will have to meet the same requirements of every other OpenVPN server platform when it comes to site-to-site configuration. And that requirement includes two things; a) pushing the local IP network behind the OpenVPN server to the OpenVPN client and b) (this is the one everyone misses) adding an iroute (that's not a typo, it begins w/ an "i") to a file named the same as the CN (common name) on the client cert, and placed in the CCD directory.

https://community.openvpn.net/openvpn/wiki/RoutedLans

I know how to set this up w/ a dd-wrt router, but not using pfSense. But without these additions, site-to-site is not going to work.
killmasta93
DD-WRT User


Joined: 13 Feb 2015
Posts: 110

PostPosted: Mon Mar 20, 2017 1:12    Post subject: Reply with quote
Thanks for the reply so I ended up changing a bit everything i was looking around found on pfSense forums a person who did a script

http://pastebin.com/nzCkm5dL

Then add these rules to the firewall on DDWRT

iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Then on pfSense i see it gets connected which is great

http://imgur.com/a/hwSTn

but i cannot ping on pfsense to DDWRT or vise versa but on status shows this http://imgur.com/FB4DoqW

and changed my pfSense config

http://imgur.com/0b8znzB

Thank you again

_________________
Tutorials:

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=280622&highlight=
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 5993

PostPosted: Mon Mar 20, 2017 2:29    Post subject: Reply with quote
You seemed to have missed by points entirely.

That script is for the OpenVPN client. There's no advantage in using that script over using the GUI on dd-wrt. And it does nothing to solve the problem of bidirectional access. And you don't need any additional firewall rules on the OpenVPN client of the GUI. It automatically generates all the firewall rules it needs. Adding your own only increases the likelihood of breaking something.

The fundamental problem here is NOT the OpenVPN client. It's the OpenVPN server. In order to have bidirectional access (which means having clients on the local IP network behind the OpenVPN server be able to initiate connections to devices on the local IP network behind the OpenVPN client), you have to a) push the local IP network of the OpenVPN server to the OpenVPN client in the OpenVPN server's config, and b) you have to add an iroute command to a file by the same CN (common name) as the OpenVPN client's cert and place that file in the CCD directory used by the OpenVPN server.

https://community.openvpn.net/openvpn/wiki/RoutedLans

If you don't do those two things, bidirectional access is not possible.

If you were using dd-wrt, I could tell you exactly how to do this. But you're using pfSense. And I have no familiarity w/ that software or its GUI. I looked at your images but could not find any place to create a CCD directory, how you could add an iroute command to a file and place it in the CCD directory, etc. That's just something you're going to need to work out w/ pfSense experts, perhaps on their own forum. It has nothing to do w/ dd-wrt.
killmasta93
DD-WRT User


Joined: 13 Feb 2015
Posts: 110

PostPosted: Mon Mar 20, 2017 22:07    Post subject: Reply with quote
Thank you for the reply, as you were completely right it was an issue with the CA cert on pfSense. Right now everything seems to be connected correctly whats odd that the night hawk DDWRT can ping pfsense but pfSense cannot ping DDWRT, might that be something with iptables? or does it have to do something with pfSense also?

Thank you

_________________
Tutorials:

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=280622&highlight=
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 5993

PostPosted: Tue Mar 21, 2017 5:09    Post subject: Reply with quote
You don't have your listening ears on. For the third time, you have to add a static route for the OpenVPN client's local IP network to the OpenVPN server config, *and* use iroute to inform the OpenVPN server that that static route is associated w/ that OpenVPN client. You *must* address this issue before devices on the OpenVPN server side can initiate connections to devices on the OpenVPN client side.

https://community.openvpn.net/openvpn/wiki/RoutedLans

I don't know how many times it will take before this finally sinks in.
killmasta93
DD-WRT User


Joined: 13 Feb 2015
Posts: 110

PostPosted: Sat Mar 25, 2017 22:05    Post subject: Reply with quote
So im sorry for being so ignorant as i was stuck on this for a while but finally solved the issue while reading how OpenVPN works,

OpenVPN uses this table



[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]


Meaning if my config on OpenVPN server is ifconfig 192.168.90.1 192.168.90.2

so then i needed to give my client overide this, the client gets 192.168.90.5 and the gateway is 192.168.90.6



ifconfig-push 192.168.90.5 192.168.90.6
iroute 192.168.1.0 255.255.255.0


Felt so silly after one week

Now pfSense can ping DDWRT so at the end it was not DDWRT issue

Hope this helps someone else

and thank you again

_________________
Tutorials:

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=280622&highlight=
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum