Validation behind VPN Server?


#1

Hi,

I have a problem getting certificate from my unraid server with LE in docker behind a pfSense router. My ISP is cgnat but able to connect to a raspberry pi 3B with PiVPN with a public ip. I tried port forwarding in my pi with this command:

sudo iptables -t nat -I PREROUTING -p tcp -i tun0 -d 10.8.0.3 --dport 180 -j DNAT --to 192.168.2.10:180
sudo iptables -I FORWARD -p tcp -i tun0 -d 192.168.2.100 --dport 180 -j ACCEPT
sudo iptables -t nat -I PREROUTING -p tcp -i tun0 -d 10.8.0.3 --dport 1443 -j DNAT --to 192.168.2.10:1443
sudo iptables -I FORWARD -p tcp -i tun0 -d 192.168.2.100 --dport 1443 -j ACCEPT

and port forward them from pfsense to the unraid server

Imgur

Imgur

Imgur

but when I try to validate my subdomains it says firewall issue. I port forwarded in the pi behind an asus router those ports and i can SSH through the domain to the pi. So I think the problem is to port forward the from pi to the unraid server?

Thanks!


#2

You need to validate that your config “works” before trying to get a cert for it.
[you probably aren’t even using the staging system]

Your configuration is incomprehensible.
The first picture shows it NATing the same IP and port to itself.
Which I take that to be intended to be port forwarding.
But the rule also is requiring the source port to also match the destination port.
That is highly unlikely to ever happen.


#3

thanks for the reply. my current setup is like this

4

I tried to forward the port from of the LE container in VP1_WAN interface and in OpenVPN interface in pfSense. I also tried add a rule to pass any but unfortunately it is not working. I put the variable in the container staging true. I am trying to figure this out for a while and i cannot find where my mistakes are.


#4

Where is the Internet?


#5

it is after the AC66U. sorry for forgetting it.


#6

Are all 4 in the same location?
You are only showing --> (what I guess is outbound) traffic…
How would the Internet reach the LE container?


#7

no, LE container and pfsense are other location and connected through VP1_WAN to the PiVPN Servver.


#8

What will you use the LE container for?
Will it be reached from the Internet?


#9

So the AC66U is not behind CGNAT?

AC66U-ingress:80 --> 192.168.2.10:80 --> 10.8.0.3:80 --> (Docker container)

Honestly this type of task doesn’t lend itself well to remote debugging and is off-topic for this forum, but perhaps you can try use packet captures on each device to see where the traffic begins to be dropped.


#10

He seems to have it more like:
AC66U-ingress:80 --> 192.168.2.10:80 --> 10.0.0.50:180 (Docker container) [through pfSense]
But the rules are nowhere near that.


#11

yes the AC66U is not behind cgnat and have a public IP

When I connect my pc through the VP1_WAN gateway it can access the internet with the ac66u public ip. it is about port forwarding I guess? I already port forwarded in the asus router the port 80 and 443 to the raspberry pi. I also tried if I can access it through ssh over the public ip and its working.


#12

SSH to which device (from Internet)?

Seems to me that you would only reach the Pi from the Internet (with your current setup)
You can go out (maybe) but not back in all the way.

Well…
You haven’t shown what the Pi is doing, so who knows exactly.


#13

but as @_az said:
This

Your current problem is a “one-of-a-kind network hack”.
You won’t find an easy “how to” for it on the Internet (I’m pretty sure).


#14

the Pi is hosting a VPN Server which I connected pfSense as a client.


#15

Yes, you already showed that.
How does the AC66U even know anything about the 10.0.0.0/24 network?


#16

none i guess since its just a tunnel between pfsense and the ip to give access to the internet through vpn in order to get a public ip


#17

Guess again - LOL

Listen I would gladly enjoy the challenge of this “project” if you would be so kind as to buy-me-a-beer we may continue via direct messaging.

Otherwise, lets us (this forum) know if you have any problem with the ACME client or issuance of an LE cert.