Help: VPN site -to -site and Pfsense as a client



  • Hi,

    alt text

    I am trying to figure this out and cannot solve this problem. I setup a OpenVPN server on a raspberry pi and wanted to create a site to site connect to the pi in order to expose the LE container so I can access my unraid server. Unfortunately, I was able to establish both connections but I cannot ping the from the LE container (10.0.0.50) to the other network (192.168.2.0/24) but from the pi network 192.168.2.10 I can ping all devices connected to pfSense. What did I miss on my settings or what I plan is not feasible to do?

    /etc/openvpn/server.conf:

    dev tun
    proto udp4
    port 1194
    ca /etc/openvpn/easy-rsa/pki/ca.crt
    cert /etc/openvpn/easy-rsa/pki/issued/server_ZQqVCj5u3D4xo8Ck.crt
    key /etc/openvpn/easy-rsa/pki/private/server_ZQqVCj5u3D4xo8Ck.key
    dh none
    topology subnet
    server 10.8.0.0 255.255.255.0
    # Set your primary domain name server address for clients
    ### Route Configurations Below
    route 192.168.2.0 255.255.255.0
    route 10.0.0.0 255.255.255.0
    client-config-dir /etc/openvpn/client
    #
    ### Push Configurations Below
    push "route 192.168.2.0 255.255.255.0"
    push "dhcp-option DNS 10.8.0.1"
    #push "dhcp-option DNS 1.1.1.1"
    #push "dhcp-option DNS 9.9.9.9"
    # Prevent DNS leaks on Windows
    push "block-outside-dns"
    # misc
    compress lz4-v2
    tun-mtu 1500
    mssfix 1460
    # Override the Client default gateway by using 0.0.0.0/1 and
    # 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
    # overriding but not wiping out the original default gateway.
    push "redirect-gateway def1 bypass-dhcp"
    client-to-client
    keepalive 10 60
    remote-cert-tls client
    tls-version-min 1.2
    tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
    cipher AES-256-GCM
    auth SHA256
    user nobody
    group nogroup
    persist-key
    persist-tun
    crl-verify /etc/openvpn/crl.pem
    status /var/log/openvpn-status.log 20
    status-version 3
    syslog
    

    /etc/openvpn/client/vpn1:

    
    push "route 192.168.2.0 255.255.255.0 10.8.0.1"
    ifconfig-push 10.8.0.2 255.255.255.0
    iroute 10.0.0.0 255.255.255.0
    
    

    Pi Firewall:

    pi@piserver:~ $ sudo iptables -vnL
    Chain INPUT (policy ACCEPT 843 packets, 105K bytes)
     pkts bytes target     prot opt in     out     source               destination
    22419 1967K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
    15877 1470K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
    15877 1470K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
    15877 1470K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
     148K 4170K ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0
        0     0 ACCEPT     all  --  tun0   *       10.8.0.0/24          10.0.0.0/24
        0     0 ACCEPT     all  --  eth0   tun0    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 ACCEPT     all  --  tun0   eth0    0.0.0.0/0            0.0.0.0/0
        0     0 ACCEPT     all  --  eth0   tun0    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 ACCEPT     all  --  tun0   eth0    0.0.0.0/0            0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT 795 packets, 71455 bytes)
     pkts bytes target     prot opt in     out     source               destination
     148K 4170K ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0
    
    Chain f2b-sshd (4 references)
     pkts bytes target     prot opt in     out     source               destination
       21  1628 REJECT     all  --  *      *       202.162.221.158      0.0.0.0/0            reject-with icmp-port-unreachable
       22  1724 REJECT     all  --  *      *       23.248.139.66        0.0.0.0/0            reject-with icmp-port-unreachable
    63508 5878K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    

    pFsense firewall:

    alt text
    alt text