OpenWRT OpenVPN client config for pfsense Site-to-Site VPN

OpenWRT client config

This is the OpenVPN config I use for connecting an OpenWRT router to a pfsense, providing interconnectivity between both LANs.

nobind
persist-key
cipher AES-256-CBC
dev tun
ifconfig 10.22.51.2 10.22.51.1
keepalive 10 60
port 1194
proto udp4
compress
remote myid.myfritz.net
resolv-retry infinite
route 192.168.100.0 255.255.255.0
secret /dev/urandom
verb 5
auth SHA512
<secret>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
97aae54ce3e22128c0efba9043a6ba07
03dc5a68399a7e7f65ab6d7cdc390729
a1f72e665fe7cf300edccb1555df56ff
3d2386942c7b78cf1676c5734834ea18
2c2ba33523e3278a84efe168dd160fd4
3c0205a0335765b80881cfb915e9b3de
097a63ee5321a31540c51a628ab95d0e
4f40657351125526120a1a83ec8af043
3ddbb859a6c8e2d36797ba5a983dd223
5ecea38941b8af992492887e6d361ccc
a41f1a3993f2c24011b2a3026b71c82d
12d301cb346de19dcaa550886b5dd0c0
9b4d6bd0ca7415a42e4ffa10fe39659e
e9ad0ff1edcfa2d62c3e3db2834f0da5
fe8e4c332325a195c537551a6f1a0ff5
c5bd5d7b038c7a9df9c8d28cb33ef4b0
-----END OpenVPN Static key V1-----
</secret>

where:

  • 10.22.51.0/24 is the VPN transfer net (IPv4 tunnel network in the pfsense), hence 10.22.51.2 is the IP address of the OpenWRT client and 10.22.51.1 is the IP address of the pfsense (i.e. OpenVPN server)
  • 1194 is the port to connect to (I use only UDP VPNs for most setups)
  • myid.myfritz.net is the domain name of the pfsense, which is (in this case) running behind a FritzBox router using a myfritz dynamic DNS server
  • <secret> is the static key that is configured in the pfsense.

pfsense config

See pfsense-OpenWRT-OpenVPN-Config.pdf for the entire pfsense config.

The most important aspects are to:

  • Generate a new static key (DO NOT use my example key) and use the same key for both the pfsense server config and the OpenWRT config
  • Use the same port in both the OpenWRT client config and the pfsense server config
  • Set Compression to Disable Compression, retain compression packet framing [compress] (since we don’t have a comp directive in the client config)
  • Set Server mode to Peer to Peer ( Shared Key )
  • Add appropriate firewall rules to enable access to the OpenVPN server (i.e. allow incoming traffic on WAN on port 1194 UDP if you’re using that port