Posted: Sun Mar 19, 2017 0:07 Post subject: Site to Site with pfSense
i, I was wondering if someone has successfully accomplished site to site as pfSense is running the OpenVPN server and the client DDWRT (R7000 Kongac). I was looking around many guides as most of them show as DDWRT running the server, this is what i got so far see pictures
The idea is i need Site A (pfSense Server) to ping Site B (DDWRT client) because on site B i have NAS which needs to be able to ping one of the servers which is in Site A
pfSense will have to meet the same requirements of every other OpenVPN server platform when it comes to site-to-site configuration. And that requirement includes two things; a) pushing the local IP network behind the OpenVPN server to the OpenVPN client and b) (this is the one everyone misses) adding an iroute (that's not a typo, it begins w/ an "i") to a file named the same as the CN (common name) on the client cert, and placed in the CCD directory.
That script is for the OpenVPN client. There's no advantage in using that script over using the GUI on dd-wrt. And it does nothing to solve the problem of bidirectional access. And you don't need any additional firewall rules on the OpenVPN client of the GUI. It automatically generates all the firewall rules it needs. Adding your own only increases the likelihood of breaking something.
The fundamental problem here is NOT the OpenVPN client. It's the OpenVPN server. In order to have bidirectional access (which means having clients on the local IP network behind the OpenVPN server be able to initiate connections to devices on the local IP network behind the OpenVPN client), you have to a) push the local IP network of the OpenVPN server to the OpenVPN client in the OpenVPN server's config, and b) you have to add an iroute command to a file by the same CN (common name) as the OpenVPN client's cert and place that file in the CCD directory used by the OpenVPN server.
If you don't do those two things, bidirectional access is not possible.
If you were using dd-wrt, I could tell you exactly how to do this. But you're using pfSense. And I have no familiarity w/ that software or its GUI. I looked at your images but could not find any place to create a CCD directory, how you could add an iroute command to a file and place it in the CCD directory, etc. That's just something you're going to need to work out w/ pfSense experts, perhaps on their own forum. It has nothing to do w/ dd-wrt.
Thank you for the reply, as you were completely right it was an issue with the CA cert on pfSense. Right now everything seems to be connected correctly whats odd that the night hawk DDWRT can ping pfsense but pfSense cannot ping DDWRT, might that be something with iptables? or does it have to do something with pfSense also?
You don't have your listening ears on. For the third time, you have to add a static route for the OpenVPN client's local IP network to the OpenVPN server config, *and* use iroute to inform the OpenVPN server that that static route is associated w/ that OpenVPN client. You *must* address this issue before devices on the OpenVPN server side can initiate connections to devices on the OpenVPN client side.