Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help: VPN site -to -site and Pfsense as a client

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 387 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      emersonicus
      last edited by emersonicus

      Hi,

      alt text

      I am trying to figure this out and cannot solve this problem. I setup a OpenVPN server on a raspberry pi and wanted to create a site to site connect to the pi in order to expose the LE container so I can access my unraid server. Unfortunately, I was able to establish both connections but I cannot ping the from the LE container (10.0.0.50) to the other network (192.168.2.0/24) but from the pi network 192.168.2.10 I can ping all devices connected to pfSense. What did I miss on my settings or what I plan is not feasible to do?

      /etc/openvpn/server.conf:

      dev tun
      proto udp4
      port 1194
      ca /etc/openvpn/easy-rsa/pki/ca.crt
      cert /etc/openvpn/easy-rsa/pki/issued/server_ZQqVCj5u3D4xo8Ck.crt
      key /etc/openvpn/easy-rsa/pki/private/server_ZQqVCj5u3D4xo8Ck.key
      dh none
      topology subnet
      server 10.8.0.0 255.255.255.0
      # Set your primary domain name server address for clients
      ### Route Configurations Below
      route 192.168.2.0 255.255.255.0
      route 10.0.0.0 255.255.255.0
      client-config-dir /etc/openvpn/client
      #
      ### Push Configurations Below
      push "route 192.168.2.0 255.255.255.0"
      push "dhcp-option DNS 10.8.0.1"
      #push "dhcp-option DNS 1.1.1.1"
      #push "dhcp-option DNS 9.9.9.9"
      # Prevent DNS leaks on Windows
      push "block-outside-dns"
      # misc
      compress lz4-v2
      tun-mtu 1500
      mssfix 1460
      # Override the Client default gateway by using 0.0.0.0/1 and
      # 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
      # overriding but not wiping out the original default gateway.
      push "redirect-gateway def1 bypass-dhcp"
      client-to-client
      keepalive 10 60
      remote-cert-tls client
      tls-version-min 1.2
      tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
      cipher AES-256-GCM
      auth SHA256
      user nobody
      group nogroup
      persist-key
      persist-tun
      crl-verify /etc/openvpn/crl.pem
      status /var/log/openvpn-status.log 20
      status-version 3
      syslog
      

      /etc/openvpn/client/vpn1:

      
      push "route 192.168.2.0 255.255.255.0 10.8.0.1"
      ifconfig-push 10.8.0.2 255.255.255.0
      iroute 10.0.0.0 255.255.255.0
      
      

      Pi Firewall:

      pi@piserver:~ $ sudo iptables -vnL
      Chain INPUT (policy ACCEPT 843 packets, 105K bytes)
       pkts bytes target     prot opt in     out     source               destination
      22419 1967K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
      15877 1470K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
      15877 1470K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
      15877 1470K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
       148K 4170K ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0
      
      Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
       pkts bytes target     prot opt in     out     source               destination
          0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0
          0     0 ACCEPT     all  --  tun0   *       10.8.0.0/24          10.0.0.0/24
          0     0 ACCEPT     all  --  eth0   tun0    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
          0     0 ACCEPT     all  --  tun0   eth0    0.0.0.0/0            0.0.0.0/0
          0     0 ACCEPT     all  --  eth0   tun0    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
          0     0 ACCEPT     all  --  tun0   eth0    0.0.0.0/0            0.0.0.0/0
      
      Chain OUTPUT (policy ACCEPT 795 packets, 71455 bytes)
       pkts bytes target     prot opt in     out     source               destination
       148K 4170K ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0
      
      Chain f2b-sshd (4 references)
       pkts bytes target     prot opt in     out     source               destination
         21  1628 REJECT     all  --  *      *       202.162.221.158      0.0.0.0/0            reject-with icmp-port-unreachable
         22  1724 REJECT     all  --  *      *       23.248.139.66        0.0.0.0/0            reject-with icmp-port-unreachable
      63508 5878K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
          0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
          0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
          0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
      
      

      pFsense firewall:

      alt text
      alt text

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.