my problem is the following: When I connect from the internet to my LAN via OpenVPN, all that I can reach is the OpenVPN Server (by it's LAN IP and it's IP inside the VPN). When I add backward routes on EVERY LAN client, communication is possible. But it is tedious and not very convenient to do it for every client in my LAN. Since my VPN server does not reside on the same machine as my default gateway, I have read in various instructions, that I need to add the back-route in my gateway and everything should work fine. However, in my case it does not. I'd appreciate every input and advise how I can debug the problem. Maybe I'm missing something or is wrong configured.
My network setup:
LAN: 10.0.0.0/24
VPN: 10.4.0.0/24
- Gateway IP: 10.0.0.1 (Mini-PC with ipFire installed, Internet via modem and PPPoE)
- VPN Server IP: 10.0.0.6 (Raspberry Pi 3 running raspbian and OpenVPN)
several other LAN clients in 10.0.0.0/24
static route set in ipFire: Network 10.4.0.0/24 via Gateway 10.0.0.6 (without it, gateway is not be reachable via vpn)
ip forwarding on the raspberry is enabled
OpenVPN config: (irrelevant parts removed)
dev tun port 1194 proto udp mode server server 10.4.0.0 255.255.255.0 push "route 10.0.0.0 255.255.255.0" client-to-client comp-lzo yes
routing table on raspi (vpn server):
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default ipfire.home 0.0.0.0 UG 0 0 0 eth0 10.0.0.0 * 255.255.255.0 U 0 0 0 eth0 10.4.0.0 10.4.0.2 255.255.255.0 UG 0 0 0 tun0 10.4.0.2 * 255.255.255.255 UH 0 0 0 tun0
Since with your current configuration, the gateway itself can reach VPN clients, you know that its routing table and everything on the VPN server must be correct. It's likely that the firewall rules on the gateway aren't set up to allow forwarding of traffic from other hosts back to the VPN server.
Specifically, my hunch is that the firewall is set up so that forwarding is denied by default, and that it's specifically allowed only from LAN to WAN. If I'm right, the following rule will make it work:
Optionally, you can make that more specific by adding
-i eth0 -o eth0
, substituting your LAN's interface name for eth0.