I made a document to help people understand everything they need to know about setting up a routed VPN where there are LANs behind OpenVPN.
http://www.secure-computing.net/wiki/in ... PN/Routing

YOU MUST COMPLETELY READ THIS TO UNDERSTAND IT.

Also, dont expect it to walk you through your exact configuration, it exists to teach you about the different options you may need, not to hold your hand.

With that said, this is the place to discuss it.

Well thanks a LOT for this clarification. Just as usual, things become more clear when repeated twice: first time in the official HOWTO and second time here.

Regards,
Kostya

Following instructions, I got the 1st part down

& I've read through this article a couple of times, and am pretty sure it's relevant -- but not directly applicable -- to my setup.

Not doing so good on the 2nd part


I've managed to completely confuse myself so far.

I have:
(1) a local LAN with one desktop & one mail-server, behind a firewall/router.
(2) a remote/hosted Server running a firewall & one web-server

My ascii-art depiction of the system is below.

I want to:
(a) Setup the Hosted Server as an OpenVPN server
(b) Ping from server <-> desktop/client over VPN
(b) access the web server @ a privateIP over an OpenVPN link from the Desktop, i.e., http://10.2.3.4
(c) 'connect/redirect' the HostedServer's port:25 over a 2nd OpenVPN link to the MailServer's port:25.
so mail sent TO 1.2.3.4:25 gets TO the MailServer on the LAN, &
mail sent FROM the MailServer on the LAN appears to originate from the HostedServer @ 1.2.3.4:25

I'm pretty certain I've badly screwed up some combination of routing and firewall rules

I'm hoping to get some guidance as to how to fix what I've done to get it all working.

Here's more info --

ASCII art:


The pre-OpenVPN routing tables are:

@ HostedServer:


@ OfficeLAN's Router/Firewall:


As a first step, I've installed OpenVPN server on the HostedServer & the Desktop.

The configs are:







with this config, I can bring up the openvpn connection, see the interfaces, and
ping from server to the desktop's VPN endpoint.

i can NOT ping from the desktop to the server's VPN endpoint, or beyond it to the webserver.

@ HostedServer


@ Desktop

Thank you for this illustration! It helps. I have one more request. Can you tell me how to configure this same illustrated setup with a slightly major alteration?

I wish to have the same ability to communicate from LAN to LAN to LAN in your single server and two client setup example here, however, I wish for all traffic from all LANs to be routed out only over the server gateway from a routed and not bridged network perspective. Also would like the DNS server used by the server gateway to serve all client stations in addition to the gateway. This will be for a dd-wrt setup if that is important to the solution.

Thanks in advance.

you would first get the lan routing working with the above document. then you would start using redirect gateway def1 on the clients (and enable nat on the server for the vpn/lan subnets). then when your clients route over the vpn, you would setup your lans to route using those clients for their default gateway (which is already normal since you said it would run on the routers).
The above document is only for routing to the lans, but the rest is not too hard. I have been meaning to make a little writeup on routing internet over vpn, but i havnt gotten around to it