Site to Site OpenVPN with DDWRT and pfSense

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Ninopi
OpenVpn Newbie
Posts: 7
Joined: Sun May 14, 2017 6:47 pm

Site to Site OpenVPN with DDWRT and pfSense

Post by Ninopi » Sun May 14, 2017 7:26 pm

Hello everyone,

my OpenVPN Config doesn't work and soon I'm going to be crazy.
I hope anybody can help me and safe me before it.

So, since a couple of weeks I want to build a site to site VPN. On the server site i have a DD-WRT Router behind a FritzBox. The DD-WRT router represents the server. On the remote site we have a pfSense as the OpenVPN client behind a telekom hybrid router (for everybody who doesn't know that, its a router which improve a bad dsl connection with lte.)

On the IP-layer the network look like this:

192.168.12.1 255.255.255.0 (DDWRT Router, OpenVPN-Server)
172.16.2.0 255.255.255.0 (VPN Server Network)
---> in front of that
192.168.178.1 255.255.255.0 (Fritzbox Network, Gateway)
---> WAN -->
192.168.1.0 255.255.255.0 (Telekom Hybrid Router - Remote Gateway)
---> behind that
192.168.2.0 255.255.255.0 (pfSense Network, OpenVPN Client)

After the handshake is done and the connection is established, you can see the vpn server got the 172.16.2.1 and the remote site (client) got the 172.16.2.6. Shouldn't the server gets the ip 172.16.2.1 and the client the ip 172.16.2.2 and other client .3 and so on ?
How can i get this to work?

And my other problem is, from the pfSense site i can ping the server and have access to the network behind. But i can't access the remote network from the server site. Which parameters i need it for that in the server or client-config?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Site to Site OpenVPN with DDWRT and pfSense

Post by TinCanTech » Sun May 14, 2017 8:26 pm

Ninopi wrote:After the handshake is done and the connection is established
Good 8-)
Ninopi wrote:Shouldn't the server gets the ip 172.16.2.1 and the client the ip 172.16.2.2 and other client .3 and so on ?
See --topology in The Manual v24x
Ninopi wrote:But i can't access the remote network from the server site. Which parameters i need it for that in the server
See : HOWTO: Expanding the scope of the VPN to include additional machines

Ninopi
OpenVpn Newbie
Posts: 7
Joined: Sun May 14, 2017 6:47 pm

Re: Site to Site OpenVPN with DDWRT and pfSense

Post by Ninopi » Thu May 18, 2017 11:08 am

Thanks for your reply and the advice.
I did it like in your links and it almost works.
I can ping from server to client back and forth.
After i edit the firweall configs of the hosts behind the server i can ping they from the client.
Now comes the but: i can't ping the hosts behind the client, despite the configured the firewall rules of the hosts.
Do i have to edit anythingelse on the pfsense to let that work?
I assume that when can ping the client with the lan ip, i can ping all other hosts in the network too.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Site to Site OpenVPN with DDWRT and pfSense

Post by TinCanTech » Thu May 18, 2017 11:11 am

Ninopi wrote:I assume that when can ping the client with the lan ip, i can ping all other hosts in the network too.
Incorrect, all those other machines need a route to the vpn server, which you have to add yourself.

Ninopi
OpenVpn Newbie
Posts: 7
Joined: Sun May 14, 2017 6:47 pm

Re: Site to Site OpenVPN with DDWRT and pfSense

Post by Ninopi » Thu May 18, 2017 11:35 am

Okey, can I add this routes in the existing openvpn configs in some way or do i have to add the routes on any host manually?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Site to Site OpenVPN with DDWRT and pfSense

Post by TinCanTech » Thu May 18, 2017 12:02 pm

How can openvpn add routes to machines which are not running openvpn ?

Ninopi
OpenVpn Newbie
Posts: 7
Joined: Sun May 14, 2017 6:47 pm

Re: Site to Site OpenVPN with DDWRT and pfSense

Post by Ninopi » Thu May 18, 2017 12:19 pm

Not at all, but I did it like in this post here: http://openvpn.net/index.php/open-sourc ... html#scope.
Routes and CCD-settings are configured in the server configs.

And i thought, when I'm done with this, every network knows every other network. Some video tutorial I saw do it in the same way and they can connect machines behind any networks without additonal configs?
Perhaps I'm wrong, then please tell me what are my next steps which i have to do.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Site to Site OpenVPN with DDWRT and pfSense

Post by TinCanTech » Thu May 18, 2017 12:22 pm

TinCanTech wrote:
Ninopi wrote:I assume that when can ping the client with the lan ip, i can ping all other hosts in the network too.
Incorrect, all those other machines [behind the client] need a route to the vpn server, which you have to add yourself.

Ninopi
OpenVpn Newbie
Posts: 7
Joined: Sun May 14, 2017 6:47 pm

Re: Site to Site OpenVPN with DDWRT and pfSense

Post by Ninopi » Thu May 18, 2017 12:55 pm

That mean, if it's a windows machine, i add this route via the "add route command" in the cmd?

Ninopi
OpenVpn Newbie
Posts: 7
Joined: Sun May 14, 2017 6:47 pm

Re: Site to Site OpenVPN with DDWRT and pfSense

Post by Ninopi » Thu May 18, 2017 4:36 pm

Update: Problem solved. It was a ICMP rule in the pfSense firewall. There was set a gateway and this blocked the ping requests.

Post Reply