DD-WRT as OpenVPN client to pfSense - Site-to-Site help

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
robertut
DD-WRT User


Joined: 30 Mar 2009
Posts: 143
PostPosted: Thu Apr 12, 2012 15:38    Post subject: DD-WRT as OpenVPN client to pfSense - Site-to-Site help Reply with quote
Guys,

I've been struggling for weeks now to set up OpenVPN on DD-WRT as a client to a pfSense box, which also acts as an OpenVPN server.

On pfSense side all is well, OpenVPN is fully configured via web interface, keys auth etc. are well setup, tested working with a Windows client.

On DD-WRT side (Asus WL-500GP hardware with mega build 14929) I enabled JFFS, and copied openvpn client config file+keys there. I created a startup script in /jffs/etc/config/vpn.ipup, which restarts the OpenVPN client every time WAN IP address changes or box boots, etc.

The script currently has:

Quote:
#!/bin/sh
#echo "$(date) - wan restart detected, restarting vpn service" >>/jffs/wanrestart.log

iptables -D INPUT 1 -i tun0 -p tcp --dport 21 -j ACCEPT
iptables -D INPUT 1 -i tun0 -p tcp --dport 22 -j ACCEPT
iptables -D INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT
iptables -D INPUT 3 -i tun0 -p icmp -j ACCEPT

iptables -D FORWARD -i br0 -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -j ACCEPT

killall robivpn
/tmp/robivpn --rmtun --dev tap0
rm /tmp/robivpn


sleep 3


ln -s /usr/sbin/openvpn /tmp/robivpn
/tmp/robivpn --mktun --dev tun0
ifconfig tun0 promisc
/tmp/robivpn --daemon --config /jffs/vpn/config.conf


iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i br0 -o tun0 -j ACCEPT

iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 21 -j ACCEPT


OpenVPN client starts up fine with this script, it connects properly to the server. I can ping from the router the server side, I can ping any machine behind the pfSense box, on that LAN fine.

However I can't ping from any machine in the DD-WRT's own LAN through the tunnel. I don't want NAT, I'd like to achieve this via routing.

Also I can't ping from the OpenVPN server machine any leg of the tunnel, thus I can't ping the DD-WRT box's LAN or TAP IP address at all.

172.22.222.0/24 is the LAN side of the pfSense (OpenVPN server) box.
192.168.77.0/24 is the LAN side of the DD-WRT (OpenVPN client) box.
172.22.227.0/24 is the tunnel network

Any ideas please what other manual route commands (beside what OpenVPN adds by itself) should I enter in DD-WRT (using the startup script) in order to achieve the following?

What I need:
- have the DD-WRT box act as an OpenVPN client
- the network behind DD-WRT have internet access through the local WAN, as usually NATted
- the network behind DD-WRT have access to the network behind pfSense thorugh OpenVPN routed
- network behind pfSense have access to the network behind DD-WRT also routed.
Back to top View user's profile Send private message
Sponsor
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 16831
Location: Hesse/Germany
PostPosted: Thu Apr 12, 2012 15:43    Post subject: Reply with quote
read the openvpn faq...especially the routing part
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Its not that hard to throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
TP-Link (Atheros) debrick service in EU
Back to top View user's profile Send private message
robertut
DD-WRT User


Joined: 30 Mar 2009
Posts: 143
PostPosted: Thu Apr 12, 2012 15:54    Post subject: Reply with quote
Thanks, much help. Already did.
Back to top View user's profile Send private message
robertut
DD-WRT User


Joined: 30 Mar 2009
Posts: 143
PostPosted: Thu Apr 12, 2012 15:55    Post subject: Reply with quote
Here's the output of the ifconfig command on DD-WRT:
Code:
br0       Link encap:Ethernet  HWaddr 00:1B:FC:91:87:47
          inet addr:192.168.77.1  Bcast:192.168.77.255  Mask:255.255.255.0
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:632286 errors:0 dropped:0 overruns:0 frame:0
          TX packets:703503 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:467196430 (445.5 MiB)  TX bytes:691403128 (659.3 MiB)

br0:0     Link encap:Ethernet  HWaddr 00:1B:FC:91:87:47
          inet addr:169.254.255.1  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

eth0      Link encap:Ethernet  HWaddr 00:1B:FC:91:87:47
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2279205 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1323471 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1622344080 (1.5 GiB)  TX bytes:1176138315 (1.0 GiB)
          Interrupt:4

eth2      Link encap:Ethernet  HWaddr 00:1B:FC:91:87:49
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:1280376
          TX packets:0 errors:41 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:2 Base address:0x2000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:50 errors:0 dropped:0 overruns:0 frame:0
          TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4081 (3.9 KiB)  TX bytes:4081 (3.9 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.22.227.6  P-t-P:172.22.227.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:336 (336.0 B)  TX bytes:396 (396.0 B)

vlan0     Link encap:Ethernet  HWaddr 00:1B:FC:91:87:47
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:624614 errors:0 dropped:0 overruns:0 frame:0
          TX packets:703503 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:468794904 (447.0 MiB)  TX bytes:694217140 (662.0 MiB)

vlan1     Link encap:Ethernet  HWaddr 00:1B:FC:91:87:48
          inet addr:10.0.12.41  Bcast:10.255.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1654479 errors:0 dropped:0 overruns:0 frame:0
          TX packets:619972 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1101853459 (1.0 GiB)  TX bytes:475794571 (453.7 MiB)


And here's the routing table in DD-WRT.
Back to top View user's profile Send private message
robertut
DD-WRT User


Joined: 30 Mar 2009
Posts: 143
PostPosted: Thu Apr 12, 2012 16:25    Post subject: Reply with quote
Doing a packet capture on pfSense I get
Quote:
18:55:47.788623 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 0, length 64
18:55:48.799097 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 1, length 64
18:55:49.809135 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 2, length 64
18:55:50.819116 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 3, length 64
18:55:51.829126 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 4, length 64
18:55:52.839152 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 5, length 64
18:55:53.849249 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 6, length 64
18:55:54.859172 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 7, length 64
18:55:55.869187 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 8, length 64


So I guess on pfSense things are fine.

Doing a tcpdump on the tap0 interface on DD-WRT side brings up nothing in the same time, so I can't understand what's happening.

The other way around as I said, I can ping from the DD-WRT to the server.
Back to top View user's profile Send private message
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 16831
Location: Hesse/Germany
PostPosted: Fri Apr 13, 2012 12:00    Post subject: Reply with quote
as i can see u have no clue of setting up ovpn.
u should read the wiki articles first the do the transfer work to pfsense

i bet its no routing problem...its much more basic
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Its not that hard to throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
TP-Link (Atheros) debrick service in EU
Back to top View user's profile Send private message
bskchaos
DD-WRT User


Joined: 07 Feb 2009
Posts: 185
PostPosted: Fri Apr 13, 2012 20:32    Post subject: Reply with quote
I've been able to achieve this using Untangle. 4 sites, rock solid.

Use google
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum