Author
Message
robertut DD-WRT User Joined: 30 Mar 2009 Posts: 145
Posted: Thu Apr 12, 2012 15:38 Post subject: DD-WRT as OpenVPN client to pfSense - Site-to-Site help
Guys,
I've been struggling for weeks now to set up OpenVPN on DD-WRT as a client to a pfSense box, which also acts as an OpenVPN server.
On pfSense side all is well, OpenVPN is fully configured via web interface, keys auth etc. are well setup, tested working with a Windows client.
On DD-WRT side (Asus WL-500GP hardware with mega build 14929) I enabled JFFS, and copied openvpn client config file+keys there. I created a startup script in /jffs/etc/config/vpn.ipup, which restarts the OpenVPN client every time WAN IP address changes or box boots, etc.
The script currently has:
Quote: #!/bin/sh
#echo "$(date) - wan restart detected, restarting vpn service" >>/jffs/wanrestart.log
iptables -D INPUT 1 -i tun0 -p tcp --dport 21 -j ACCEPT
iptables -D INPUT 1 -i tun0 -p tcp --dport 22 -j ACCEPT
iptables -D INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT
iptables -D INPUT 3 -i tun0 -p icmp -j ACCEPT
iptables -D FORWARD -i br0 -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -j ACCEPT
killall robivpn
/tmp/robivpn --rmtun --dev tap0
rm /tmp/robivpn
sleep 3
ln -s /usr/sbin/openvpn /tmp/robivpn
/tmp/robivpn --mktun --dev tun0
ifconfig tun0 promisc
/tmp/robivpn --daemon --config /jffs/vpn/config.conf
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 21 -j ACCEPT
OpenVPN client starts up fine with this script, it connects properly to the server. I can ping from the router the server side, I can ping any machine behind the pfSense box, on that LAN fine.
However I can't ping from any machine in the DD-WRT's own LAN through the tunnel . I don't want NAT, I'd like to achieve this via routing.
Also I can't ping from the OpenVPN server machine any leg of the tunnel , thus I can't ping the DD-WRT box's LAN or TAP IP address at all.
172.22.222.0/24 is the LAN side of the pfSense (OpenVPN server) box.
192.168.77.0/24 is the LAN side of the DD-WRT (OpenVPN client) box.
172.22.227.0/24 is the tunnel network
Any ideas please what other manual route commands (beside what OpenVPN adds by itself) should I enter in DD-WRT (using the startup script) in order to achieve the following?
What I need:
- have the DD-WRT box act as an OpenVPN client
- the network behind DD-WRT have internet access through the local WAN, as usually NATted
- the network behind DD-WRT have access to the network behind pfSense thorugh OpenVPN routed
- network behind pfSense have access to the network behind DD-WRT also routed.
Back to top
Sponsor
Sash DD-WRT Guru Joined: 20 Sep 2006 Posts: 17619 Location: Hesse/Germany
Back to top
robertut DD-WRT User Joined: 30 Mar 2009 Posts: 145
Posted: Thu Apr 12, 2012 15:54 Post subject:
Thanks, much help. Already did.
Back to top
robertut DD-WRT User Joined: 30 Mar 2009 Posts: 145
Posted: Thu Apr 12, 2012 15:55 Post subject:
Here's the output of the ifconfig command on DD-WRT:
Code: br0 Link encap:Ethernet HWaddr 00:1B:FC:91:87:47
inet addr:192.168.77.1 Bcast:192.168.77.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:632286 errors:0 dropped:0 overruns:0 frame:0
TX packets:703503 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:467196430 (445.5 MiB) TX bytes:691403128 (659.3 MiB)
br0:0 Link encap:Ethernet HWaddr 00:1B:FC:91:87:47
inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
eth0 Link encap:Ethernet HWaddr 00:1B:FC:91:87:47
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2279205 errors:0 dropped:0 overruns:0 frame:0
TX packets:1323471 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1622344080 (1.5 GiB) TX bytes:1176138315 (1.0 GiB)
Interrupt:4
eth2 Link encap:Ethernet HWaddr 00:1B:FC:91:87:49
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:1280376
TX packets:0 errors:41 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:2 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:50 errors:0 dropped:0 overruns:0 frame:0
TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4081 (3.9 KiB) TX bytes:4081 (3.9 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.22.227.6 P-t-P:172.22.227.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:336 (336.0 B) TX bytes:396 (396.0 B)
vlan0 Link encap:Ethernet HWaddr 00:1B:FC:91:87:47
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:624614 errors:0 dropped:0 overruns:0 frame:0
TX packets:703503 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:468794904 (447.0 MiB) TX bytes:694217140 (662.0 MiB)
vlan1 Link encap:Ethernet HWaddr 00:1B:FC:91:87:48
inet addr:10.0.12.41 Bcast:10.255.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1654479 errors:0 dropped:0 overruns:0 frame:0
TX packets:619972 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1101853459 (1.0 GiB) TX bytes:475794571 (453.7 MiB)
And here's the routing table in DD-WRT.
Back to top
robertut DD-WRT User Joined: 30 Mar 2009 Posts: 145
Posted: Thu Apr 12, 2012 16:25 Post subject:
Doing a packet capture on pfSense I get
Quote: 18:55:47.788623 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 0, length 64
18:55:48.799097 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 1, length 64
18:55:49.809135 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 2, length 64
18:55:50.819116 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 3, length 64
18:55:51.829126 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 4, length 64
18:55:52.839152 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 5, length 64
18:55:53.849249 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 6, length 64
18:55:54.859172 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 7, length 64
18:55:55.869187 IP 172.22.227.1 > 192.168.77.1: ICMP echo request, id 14779, seq 8, length 64
So I guess on pfSense things are fine.
Doing a tcpdump on the tap0 interface on DD-WRT side brings up nothing in the same time, so I can't understand what's happening.
The other way around as I said, I can ping from the DD-WRT to the server.
Back to top
Sash DD-WRT Guru Joined: 20 Sep 2006 Posts: 17619 Location: Hesse/Germany
Back to top
bskchaos DD-WRT User Joined: 07 Feb 2009 Posts: 198
Posted: Fri Apr 13, 2012 20:32 Post subject:
I've been able to achieve this using Untangle. 4 sites, rock solid.
Use google
Back to top