Help: VPN site -to -site and Pfsense as a client
-
Hi,
I am trying to figure this out and cannot solve this problem. I setup a OpenVPN server on a raspberry pi and wanted to create a site to site connect to the pi in order to expose the LE container so I can access my unraid server. Unfortunately, I was able to establish both connections but I cannot ping the from the LE container (10.0.0.50) to the other network (192.168.2.0/24) but from the pi network 192.168.2.10 I can ping all devices connected to pfSense. What did I miss on my settings or what I plan is not feasible to do?
/etc/openvpn/server.conf:
dev tun proto udp4 port 1194 ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server_ZQqVCj5u3D4xo8Ck.crt key /etc/openvpn/easy-rsa/pki/private/server_ZQqVCj5u3D4xo8Ck.key dh none topology subnet server 10.8.0.0 255.255.255.0 # Set your primary domain name server address for clients ### Route Configurations Below route 192.168.2.0 255.255.255.0 route 10.0.0.0 255.255.255.0 client-config-dir /etc/openvpn/client # ### Push Configurations Below push "route 192.168.2.0 255.255.255.0" push "dhcp-option DNS 10.8.0.1" #push "dhcp-option DNS 1.1.1.1" #push "dhcp-option DNS 9.9.9.9" # Prevent DNS leaks on Windows push "block-outside-dns" # misc compress lz4-v2 tun-mtu 1500 mssfix 1460 # Override the Client default gateway by using 0.0.0.0/1 and # 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of # overriding but not wiping out the original default gateway. push "redirect-gateway def1 bypass-dhcp" client-to-client keepalive 10 60 remote-cert-tls client tls-version-min 1.2 tls-crypt /etc/openvpn/easy-rsa/pki/ta.key cipher AES-256-GCM auth SHA256 user nobody group nogroup persist-key persist-tun crl-verify /etc/openvpn/crl.pem status /var/log/openvpn-status.log 20 status-version 3 syslog
/etc/openvpn/client/vpn1:
push "route 192.168.2.0 255.255.255.0 10.8.0.1" ifconfig-push 10.8.0.2 255.255.255.0 iroute 10.0.0.0 255.255.255.0
Pi Firewall:
pi@piserver:~ $ sudo iptables -vnL Chain INPUT (policy ACCEPT 843 packets, 105K bytes) pkts bytes target prot opt in out source destination 22419 1967K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 15877 1470K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 15877 1470K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 15877 1470K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 148K 4170K ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun0 * 10.8.0.0/24 10.0.0.0/24 0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 795 packets, 71455 bytes) pkts bytes target prot opt in out source destination 148K 4170K ACCEPT all -- * tun0 0.0.0.0/0 0.0.0.0/0 Chain f2b-sshd (4 references) pkts bytes target prot opt in out source destination 21 1628 REJECT all -- * * 202.162.221.158 0.0.0.0/0 reject-with icmp-port-unreachable 22 1724 REJECT all -- * * 23.248.139.66 0.0.0.0/0 reject-with icmp-port-unreachable 63508 5878K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
pFsense firewall:
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.