I have an OpenVPN server, call it vpn-server, with a LAN 192.168.3.0/24 behind it. The client, vpn-client, also has a LAN behind it, 10.4.0.0/24. Machines on 192.168.3.0/24 can access 10.4.0.0/24 (with one exception). Machines on 10.4.0.0/24 can access 192.168.3.0/24. (Server and client are both Linux based.)
The one exception is that the VPN host itself cannot access 10.4.0.0/24. Someone in #openvpn on irc mentioned that when the openvpn server is connecting to the client network, it uses the the VPN IP, not the local IP, and I should check out my masquerade rules for iptables. My masquerade rules, and the interface config for the related interfaces are at http://pastebin.com/Q9RDy0es .
OpenVPN configuration files, for both server and client, can be found at: http://pastebin.com/gtfm82pE .
I feel like it's a firewall issue on the host side, but I can't seem to get it worked out. Do I need new/different masquerade rules? I'm pretty sure the VPN configurations are correct.
vpn-server routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.54.1.9 * 255.255.255.255 UH 0 0 0 tun1
10.8.1.2 * 255.255.255.255 UH 0 0 0 tun0
<pubIP redacted> * 255.255.255.248 U 0 0 0 eth1
10.18.1.0 10.8.1.2 255.255.255.0 UG 0 0 0 tun0
172.16.20.0 10.54.1.9 255.255.255.0 UG 0 0 0 tun1
192.168.3.0 * 255.255.255.0 U 0 0 0 eth0
10.8.1.0 10.8.1.2 255.255.255.0 UG 0 0 0 tun0
10.54.1.0 10.54.1.9 255.255.255.0 UG 0 0 0 tun1
172.16.30.0 10.54.1.9 255.255.255.0 UG 0 0 0 tun1
10.3.0.0 10.54.1.9 255.255.255.0 UG 0 0 0 tun1
172.16.10.0 * 255.255.255.0 U 0 0 0 vlan4000
10.3.1.0 10.54.1.9 255.255.255.0 UG 0 0 0 tun1
10.4.0.0 10.8.1.2 255.255.0.0 UG 0 0 0 tun0
link-local * 255.255.0.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default <pubIP redacted> 0.0.0.0 UG 0 0 0 eth1
vpn-server output of iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
FW-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.3.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host- prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain FW-1-INPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:7788
ACCEPT udp -- anywhere anywhere udp dpt:ha-cluster
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT tcp -- sysmon.example.com anywhere tcp dpt:nrpe
ACCEPT tcp -- sysmon1.example.com anywhere tcp dpt:nrpe
ACCEPT udp -- sysmon1.example.com anywhere udp dpt:ntp
ACCEPT udp -- sysmon.examplecom anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp multiport dports iax,sip
ACCEPT udp -- anywhere anywhere udp multiport dports iax,sip
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host- prohibited
Remember that when your OpenVPN gateway sources the traffic it will most likely be coming from the openvpn interface itself when it is seen by the client router and its hosts. So you will need to make sure either you have NAT'ed that IP on the openVPN server somehow or the hosts/client seeing the requests having a path back to that IP (which is probably not the same network as your LAN).
If you tcpdump the openvpn interfaces on both sides and then the internal interface on the remote side you will probably see that the issue is either firewall rules related to this different interface IP or routing related to that.